Privacy Policy

Last updated: 26 May 2026

Data protection at a glance
Hosting and Content Delivery Networks (CDN)
General information and mandatory information
Data collection on this website
Newsletter
Plugins, tools and analytics
eCommerce and payment providers
Audio and video conferencing
Our own services
Our social media presence
Information for international users (USA, Brazil)

1. Data protection at a glance

General information

The following information provides a simple overview of what happens to your personal data when you visit this website. Personal data is any data that can be used to personally identify you. For detailed information on the subject of data protection, please refer to our privacy policy listed below this text.

Data collection on this website

Who is responsible for the data collection on this website?

Data processing on this website is carried out by the website operator. You can find the operator's contact details in the section "Information about the responsible party" in this privacy policy.

How do we collect your data?

Your data is collected, on the one hand, by you providing it to us. This may, for example, be data that you enter in a contact form.

Other data is collected automatically or with your consent by our IT systems when you visit the website. This is primarily technical data (e.g. internet browser, operating system, or time of the page request). This data is collected automatically as soon as you enter this website.

What do we use your data for?

Part of the data is collected to ensure error-free provision of the website. Other data may be used to analyse user behaviour.

What rights do you have regarding your data?

You have the right at any time to obtain information free of charge about the origin, recipients and purpose of your stored personal data. You also have the right to request the correction or deletion of this data. If you have given your consent to data processing, you can withdraw this consent at any time for the future. You also have the right, under certain circumstances, to request restriction of the processing of your personal data. In addition, you have the right to lodge a complaint with the competent supervisory authority.

You may contact us at any time regarding this and other questions on the subject of data protection.

Analytics tools and third-party tools

When you visit this website, your browsing behaviour may be statistically analysed. This is mainly done using so-called analytics programs.

Detailed information on these analytics programs can be found in the privacy policy below.

2. Hosting and Content Delivery Networks (CDN)

External hosting

This website is hosted by an external service provider (hosting provider). The personal data collected on this website is stored on the servers of the hosting provider. This may include, in particular, IP addresses, contact requests, meta and communication data, contract data, contact data, names, website access data and other data generated via a website.

The hosting provider is used for the purpose of fulfilling the contract with our potential and existing customers (Art. 6(1)(b) GDPR) and in the interest of a secure, fast and efficient provision of our online offering by a professional provider (Art. 6(1)(f) GDPR). Where appropriate consent has been requested, processing is carried out exclusively on the basis of Art. 6(1)(a) GDPR and Section 25(1) TDDDG (German Telecommunications-Telemedia Data Protection Act), insofar as consent covers the storage of cookies or access to information on the user's terminal device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent can be withdrawn at any time.

Our hosting provider will only process your data to the extent necessary to fulfil its performance obligations and will follow our instructions regarding this data.

We use the following hosting provider:

BERGNET GmbH

3. General information and mandatory information

Data protection

The operators of these pages take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the statutory data protection regulations and this privacy policy.

When you use this website, various items of personal data are collected. Personal data is data that can be used to personally identify you. This privacy policy explains which data we collect and what we use it for. It also explains how and for what purpose this is done.

We would like to point out that data transmission over the internet (e.g. when communicating by email) may have security vulnerabilities. Complete protection of data against access by third parties is not possible.

Information about the responsible party

The party responsible for data processing on this website is:

Umfulana GmbH
Karlheinz-Stockhausen-Platz 7
51515 Kürten
Germany

Phone: +49 (0)2268 92298-0
Email: info@umfulana.de

The responsible party is the natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data (e.g. names, email addresses, etc.).

Storage period

Unless a more specific storage period has been specified within this privacy policy, your personal data will remain with us until the purpose for the data processing no longer applies. If you assert a legitimate request for deletion or withdraw your consent to data processing, your data will be deleted unless we have other legally permissible grounds for storing your personal data (e.g. tax or commercial law retention periods); in the latter case, deletion will take place once these grounds cease to apply.

General information on the legal bases for data processing on this website

If you have consented to data processing, we process your personal data on the basis of Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR if special categories of data pursuant to Art. 9(1) GDPR are processed. In the case of express consent to the transfer of personal data to third countries, data processing also takes place on the basis of Art. 49(1)(a) GDPR. If you have consented to the storage of cookies or to the access to information on your terminal device (e.g. via device fingerprinting), the data processing additionally takes place on the basis of Section 25(1) TDDDG. Consent can be withdrawn at any time. If your data is required for the performance of a contract or for pre-contractual measures, we process your data on the basis of Art. 6(1)(b) GDPR. Furthermore, we process your data if this is necessary for compliance with a legal obligation on the basis of Art. 6(1)(c) GDPR. Data processing may also take place on the basis of our legitimate interest in accordance with Art. 6(1)(f) GDPR. Information on the relevant legal bases in each individual case is provided in the following paragraphs of this privacy policy.

Data Protection Officer

We have appointed a data protection officer for our company.

Five Consulting
Klaus Pampuch
Frankenforster Str. 44
51427 Bergisch Gladbach
Germany

https://www.five.consulting

Phone: +49 2204-7060940
Email: umfulana@five.consulting

Information on the transfer of data to the USA and other third countries

Among other things, we use tools from companies based in the USA or other third countries that are not secure under data protection law. When these tools are active, your personal data may be transferred to these third countries and processed there. We would like to point out that no level of data protection comparable to that in the EU can be guaranteed in these countries. For example, US companies are required to disclose personal data to security authorities without the data subject being able to take legal action against this. It cannot therefore be ruled out that US authorities (e.g. intelligence services) may process, evaluate and permanently store your data located on US servers for surveillance purposes. We have no influence on these processing activities.

Withdrawal of your consent to data processing

Many data processing operations are only possible with your express consent. You can withdraw consent you have already given at any time. The lawfulness of data processing carried out before the withdrawal remains unaffected by the withdrawal.

Right to object to the collection of data in special cases and to direct marketing (Art. 21 GDPR)

If data processing is carried out on the basis of Art. 6(1)(e) or (f) GDPR, you have the right at any time to object, on grounds relating to your particular situation, to the processing of your personal data; this also applies to profiling based on these provisions. The respective legal basis on which any processing is based can be found in this privacy policy. If you object, we will no longer process your affected personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims (objection pursuant to Art. 21(1) GDPR).

If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing; this also applies to profiling insofar as it is associated with such direct marketing. If you object, your personal data will subsequently no longer be used for direct marketing purposes (objection pursuant to Art. 21(2) GDPR).

Right to lodge a complaint with the competent supervisory authority

In the event of breaches of the GDPR, data subjects have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work or place of the alleged breach. The right to lodge a complaint exists irrespective of any other administrative or judicial remedies.

Right to data portability

You have the right to have data that we process automatically on the basis of your consent or in fulfilment of a contract handed over to you or to a third party in a commonly used, machine-readable format. If you request the direct transfer of the data to another controller, this will only be done insofar as it is technically feasible.

SSL / TLS encryption

For security reasons and to protect the transmission of confidential content, such as orders or enquiries that you send to us as the site operator, this site uses SSL or TLS encryption. You can recognise an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line.

If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

Information, deletion and correction

Within the framework of the applicable statutory provisions, you have the right at any time to free information about your stored personal data, its origin and recipient, and the purpose of the data processing and, if applicable, a right to correction or deletion of this data. You can contact us at any time for this and other questions regarding personal data.

Right to restriction of processing

You have the right to request the restriction of the processing of your personal data. You can contact us at any time for this purpose. The right to restriction of processing exists in the following cases:

If you dispute the accuracy of your personal data stored by us, we generally need time to verify this. For the duration of the review, you have the right to request the restriction of the processing of your personal data.
If the processing of your personal data took place / is taking place unlawfully, you can request the restriction of data processing instead of deletion.
If we no longer need your personal data but you need it to exercise, defend or assert legal claims, you have the right to request the restriction of the processing of your personal data instead of deletion.
If you have lodged an objection pursuant to Art. 21(1) GDPR, a balance must be struck between your interests and ours. As long as it has not yet been determined whose interests prevail, you have the right to request the restriction of the processing of your personal data.

If you have restricted the processing of your personal data, this data may – apart from being stored – only be processed with your consent or to assert, exercise or defend legal claims, or to protect the rights of another natural or legal person, or for reasons of important public interest of the European Union or of a Member State.

4. Data collection on this website

Cookies

Our websites use so-called "cookies". Cookies are small text files and do not cause any damage to your terminal device. They are stored either temporarily for the duration of a session (session cookies) or permanently (permanent cookies) on your terminal device. Session cookies are automatically deleted after the end of your visit. Permanent cookies remain stored on your terminal device until you delete them yourself or they are automatically deleted by your web browser.

In some cases, cookies from third-party companies may also be stored on your terminal device when you enter our site (third-party cookies). These enable us or you to make use of certain services of the third-party company (e.g. cookies for processing payment services).

Cookies have different functions. Numerous cookies are technically necessary because certain website functions would not work without them (e.g. the shopping cart function or the display of videos). Other cookies are used to analyse user behaviour or to display advertising.

Cookies that are required to carry out the electronic communication process, to provide certain functions desired by you (e.g. for the shopping cart function) or to optimise the website (e.g. cookies to measure the web audience) (necessary cookies) are stored on the basis of Art. 6(1)(f) GDPR, unless another legal basis is specified. The website operator has a legitimate interest in the storage of necessary cookies for the technically error-free and optimised provision of its services. Where consent has been requested for the storage of cookies and comparable recognition technologies, processing is carried out exclusively on the basis of this consent (Art. 6(1)(a) GDPR and Section 25(1) TDDDG); consent can be withdrawn at any time.

You can set your browser to inform you about the setting of cookies and to allow cookies only in individual cases, to exclude the acceptance of cookies for certain cases or in general, and to activate the automatic deletion of cookies when the browser is closed. If cookies are deactivated, the functionality of this website may be limited.

Insofar as cookies are used by third-party companies or for analytics purposes, we will inform you separately about this within the framework of this privacy policy and, if applicable, request your consent.

Contact form

If you send us enquiries via the contact form, your information from the enquiry form, including the contact data you provide there, will be stored by us for the purpose of processing the enquiry and in the event of follow-up questions. We will not pass on this data without your consent.

The processing of this data is based on Art. 6(1)(b) GDPR, provided that your enquiry is related to the fulfilment of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective handling of enquiries directed to us (Art. 6(1)(f) GDPR) or on your consent (Art. 6(1)(a) GDPR) if this has been requested; consent can be withdrawn at any time.

The data you enter in the contact form will remain with us until you request us to delete it, withdraw your consent to its storage, or the purpose for the data storage no longer applies (e.g. after your enquiry has been processed). Mandatory statutory provisions – in particular retention periods – remain unaffected.

Enquiry by email, telephone or fax

If you contact us by email, telephone or fax, your enquiry, including all resulting personal data (name, enquiry), will be stored and processed by us for the purpose of processing your request. We will not pass on this data without your consent.

The data you send us via contact enquiries will remain with us until you request us to delete it, withdraw your consent to its storage, or the purpose for the data storage no longer applies (e.g. after your enquiry has been processed). Mandatory statutory provisions – in particular statutory retention periods – remain unaffected.

5. Newsletter

Newsletter data

If you would like to receive the newsletter offered on the website, we require an email address from you, as well as information that allows us to verify that you are the owner of the email address provided and that you agree to receive the newsletter. No further data is collected, or only on a voluntary basis. We use this data exclusively for sending the requested information and do not pass it on to third parties.

The processing of the data entered in the newsletter registration form takes place exclusively on the basis of your consent (Art. 6(1)(a) GDPR). You can withdraw the consent given to the storage of the data, the email address and its use for sending the newsletter at any time, for example via the "unsubscribe" link in the newsletter. The lawfulness of the data processing operations already carried out remains unaffected by the withdrawal.

The data you have provided to us for the purpose of receiving the newsletter will be stored by us or the newsletter service provider until you unsubscribe from the newsletter and will be deleted from the newsletter distribution list after you unsubscribe or when the purpose ceases to apply. We reserve the right to delete or block email addresses from our newsletter distribution list at our discretion within the scope of our legitimate interest pursuant to Art. 6(1)(f) GDPR.

Data stored with us for other purposes remains unaffected.

After you have unsubscribed from the newsletter distribution list, your email address may be stored by us or the newsletter service provider in a blacklist, if necessary, to prevent future mailings. The data from the blacklist is only used for this purpose and is not merged with other data. This serves both your interest and our interest in complying with legal requirements when sending newsletters (legitimate interest within the meaning of Art. 6(1)(f) GDPR). Storage in the blacklist is not limited in time. You can object to the storage if your interests outweigh our legitimate interest.

Direct marketing

We use your email address, which we received as part of a travel booking, for the electronic transmission of advertising for other trips that are similar to those you have already booked with us, insofar as you have not objected to this use. Processing takes place on the basis of Art. 6(1)(f) GDPR from our overriding legitimate interest in direct marketing. You can object to this use of your email address at any time by sending us a notification. You can find the contact details for exercising the objection in the imprint. You can also use the link provided for this purpose in the marketing email.

6. Plugins, tools and analytics

We use analytics and marketing services on our website in order to evaluate the use of our offerings and to provide you with content and advertising tailored to your needs. All services described in this section are loaded exclusively after your express consent (Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG). You grant or withdraw your consent via our consent management tool (Usercentrics, see below).

Google Analytics 4

This website uses functions of the web analytics service Google Analytics 4. The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics enables us to analyse the behaviour of our website visitors. In doing so, the website operator receives various usage data, such as page views, length of stay, operating systems used and origin of the user. This data is combined into a user ID and assigned to the respective end device of the website visitor.

We have activated IP anonymisation on this website. As a result, your IP address will be shortened by Google within member states of the European Union or in other states party to the Agreement on the European Economic Area before being transmitted to the USA. We also use the Google Consent Mode v2. As long as no consent is given, no cookies are set and no personal data is transmitted to Google ("Default Denied"); we additionally activate ads_data_redaction to reduce advertising-related parameters.

The legal basis for the use of Google Analytics is your consent pursuant to Art. 6(1)(a) GDPR. The data transfer to the USA is based on the EU Commission's Standard Contractual Clauses and on the EU-US Data Privacy Framework (adequacy decision of the EU Commission of 10 July 2023). Details: https://policies.google.com/privacy.

Matomo (self-hosted)

This website uses the open-source web analytics service Matomo. Matomo is hosted by us on our own servers in Germany (https://www.umfulana.de/matomo/); there is no transfer to third parties or to third countries.

With the help of Matomo, we collect and analyse data on the use of our website. We find out, among other things, when which pages were accessed by you and from which region you come from. We also collect various log files (including IP address, referrer, browsers and operating systems used) and the length of stay on our website. The processing is based on your consent pursuant to Art. 6(1)(a) GDPR.

Hotjar

This website uses Hotjar to better understand the needs of our users and to optimise the offering on this website. The provider is Hotjar Ltd., Level 2, St Julian's Business Centre, 3, Elia Zammit Street, St Julian's STJ 1000, Malta.

With the help of Hotjar technology, we get a better understanding of the experiences of our users (e.g. how much time users spend on which pages, which links they click on, what they like and don't like, etc.) and this helps us to tailor our offering to user feedback. Hotjar works with cookies and other technologies to collect information about the behaviour of our users and their end devices (in particular IP address of the device – recorded and stored in a shortened form – screen size, device type, browser information, location – only country, preferred language for displaying our website). This information is stored in a pseudonymised user profile.

The legal basis is your consent pursuant to Art. 6(1)(a) GDPR. Further information can be found in Hotjar's privacy policy: https://www.hotjar.com/legal/policies/privacy/.

Meta Pixel (formerly Facebook Pixel)

For the purpose of conversion measurement and for marketing purposes, this website uses the "Meta Pixel" of Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Meta").

When consent is activated, user behaviour can be tracked after users have been directed to the provider's website by clicking on a Meta advertisement. This process is used to evaluate the effectiveness of Meta advertisements for statistical and market research purposes and can help to optimise future advertising measures.

The data collected is anonymous for us as the operator of this website; we cannot draw any conclusions about the identity of the users. However, the data is stored and processed by Meta and can be linked to the respective user profile, enabling Meta to use the data for its own advertising purposes. This allows Meta to place advertisements on Meta pages as well as outside Meta.

Insofar as personal data is transferred to Meta via the Meta Pixel, we and Meta are jointly responsible for this data processing pursuant to Art. 26 GDPR. The required agreement on joint responsibility (Joint Controller Agreement) can be found at https://www.facebook.com/legal/controller_addendum. The data transfer to the USA is based on the EU Commission's Standard Contractual Clauses and the EU-US Data Privacy Framework.

The legal basis is your consent pursuant to Art. 6(1)(a) GDPR. You can withdraw your consent at any time via our consent management tool. Further information on protecting your privacy at Meta: https://www.facebook.com/about/privacy/.

Usercentrics Consent Management

To obtain, manage and document consents for the services mentioned above, we use the consent management platform of Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, Germany. For this purpose, a randomly generated controller ID, a consent ID, consent status, time of consent, browser information, device information and an anonymised IP address are processed. The legal basis is Art. 6(1)(c) GDPR in conjunction with our duty to provide evidence under Art. 7(1) GDPR. Details: https://usercentrics.com/privacy-policy/.

The following overview lists all services currently embedded on this website with detailed information on purpose, cookies set, provider and third-country transfer:

7. eCommerce and payment providers

Processing of data (customer and contract data)

We collect, process and use personal data only insofar as it is necessary for the establishment, content design or modification of the legal relationship (inventory data). This is done on the basis of Art. 6(1)(b) GDPR, which permits the processing of data for the performance of a contract or pre-contractual measures. We collect, process and use personal data on the use of this website (usage data) only insofar as this is necessary to enable the user to use the service or to bill the user.

The customer data collected is deleted after completion of the order or termination of the business relationship. Statutory retention periods remain unaffected.

Data transfer upon conclusion of a contract for online shops, retailers and shipping of goods

When you order goods from us, we pass your personal data on to the transport company responsible for delivery and to the payment service provider entrusted with the payment processing. Only such data is released that the respective service provider requires to fulfil its task. The legal basis for this is Art. 6(1)(b) GDPR, which permits the processing of data for the performance of a contract or pre-contractual measures. If you have given your corresponding consent pursuant to Art. 6(1)(a) GDPR, we will pass on your email address to the transport company entrusted with the delivery so that it can inform you by email about the shipping status of your order; you can withdraw your consent at any time.

Payment services

We integrate payment services from third-party companies on our website. When you make a purchase with us, your payment data (e.g. name, payment amount, account details, credit card number) is processed by the payment service provider for the purpose of payment processing. The respective contractual and data protection provisions of the respective providers apply to these transactions. The use of the payment service providers takes place on the basis of Art. 6(1)(b) GDPR (contract processing) and in the interest of a smooth, convenient and secure payment process (Art. 6(1)(f) GDPR). Insofar as your consent is requested for certain actions, Art. 6(1)(a) GDPR is the legal basis for the data processing; consents can be withdrawn at any time with effect for the future.

We use the following payment services / payment service providers as part of this website:

Stripe

The provider for customers within the EU is Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland (hereinafter "Stripe").

The data transfer to the USA is based on the EU Commission's Standard Contractual Clauses. Details can be found here: https://stripe.com/privacy and https://stripe.com/guides/general-data-protection-regulation.

You can read more about this in Stripe's privacy policy at the following link: https://stripe.com/privacy.

8. Audio and video conferencing

Data processing

Among other things, we use online conferencing tools to communicate with our customers. The tools we use individually are listed below. When you communicate with us by video or audio conference via the internet, your personal data will be collected and processed by us and the provider of the respective conference tool.

The conference tools collect all data that you provide/use to use the tools (email address and/or phone number). Furthermore, the conference tools process the duration of the conference, start and end (time) of participation in the conference, number of participants and other "context information" related to the communication process (metadata).

Furthermore, the provider of the tool processes all technical data required for the handling of the online communication. This includes in particular IP addresses, MAC addresses, device IDs, device type, operating system type and version, client version, camera type, microphone or loudspeaker and the type of connection.

If content is exchanged, uploaded or otherwise provided within the tool, this is also stored on the servers of the tool provider. Such content includes, in particular, cloud recordings, chat / instant messages, voicemails, uploaded photos and videos, files, whiteboards and other information shared during the use of the service.

Please note that we do not have full influence on the data processing operations of the tools used. Our options are largely determined by the corporate policy of the respective provider. Further information on data processing by the conferencing tools can be found in the privacy policies of the respective tools used, which we have listed below this text.

Purpose and legal bases

The conferencing tools are used to communicate with prospective or existing contractual partners or to offer certain services to our customers (Art. 6(1)(b) GDPR). Furthermore, the use of the tools serves the general simplification and acceleration of communication with us or our company (legitimate interest within the meaning of Art. 6(1)(f) GDPR). Insofar as consent has been requested, the use of the respective tools is based on this consent; consent can be withdrawn at any time with effect for the future.

Storage period

Data collected directly by us via the video and conferencing tools will be deleted from our systems as soon as you request us to delete it, withdraw your consent to its storage, or the purpose for the data storage no longer applies. Stored cookies remain on your terminal device until you delete them. Mandatory statutory retention periods remain unaffected.

We have no influence on the storage period of your data stored by the operators of the conferencing tools for their own purposes. For details, please contact the operators of the conferencing tools directly.

Conferencing tools used

We use the following conferencing tools:

Google Meet

We use Google Meet. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. For details on data processing, please refer to Google Meet's privacy policy: https://policies.google.com/privacy.

Microsoft Teams

We use Microsoft Teams. The provider is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland. For details on data processing, please refer to Microsoft Teams' privacy policy: https://privacy.microsoft.com/en-us/privacystatement.

Data processing agreement

We have concluded a data processing agreement (DPA) with the providers mentioned above. This is a contract required by data protection law, which ensures that the providers only process the personal data of our website visitors in accordance with our instructions and in compliance with the GDPR.

9. Our own services

Data processing when using the Umfulana account

When you log in with your Umfulana account, we process, in addition to the information you have provided to us in connection with your enquiry or booking (legal basis Art. 6(1)(b) GDPR), also automatic information such as the sequence of pages of our website that you visit, including date and time, cookie, the content you have viewed or searched for, including the duration until a webpage is built, any errors that occur, and information on the interaction between pages.

The processing of the automatic information takes place exclusively on the basis of Art. 6(1)(a) GDPR and Section 25(1) TDDDG, insofar as the consent covers the storage of cookies or access to information on the user's terminal device within the meaning of the TDDDG. Consent can be withdrawn at any time.

Data processing when using the Umfulana app

The Umfulana app uses plugins from Mapbox (https://www.mapbox.com/). When you visit one of our pages equipped with a Mapbox plugin, a connection to Mapbox's servers is established. The Mapbox server is informed of which pages you have visited. For more information on the handling of user data, please refer to Mapbox's privacy policy.

The legal basis for processing the data is Art. 6(1)(f) GDPR. The legitimate interest is the provision of map material for displaying waypoints (hotels, car rental stations, sights) of the respective trip.

Handling of applicant data

We offer you the opportunity to apply to us (e.g. by email, post or via an online applicant form). Below we inform you about the scope, purpose and use of your personal data collected as part of the application process. We assure you that the collection, processing and use of your data will be carried out in accordance with applicable data protection law and all other statutory provisions, and that your data will be treated with strict confidentiality.

Scope and purpose of data collection

If you send us an application, we will process your associated personal data (e.g. contact and communication data, application documents, notes from job interviews, etc.) insofar as this is necessary for the decision on the establishment of an employment relationship. The legal basis for this is Section 26 BDSG under German law (initiation of an employment relationship), Art. 6(1)(b) GDPR (general contract initiation), and – if you have given your consent – Art. 6(1)(a) GDPR. Consent can be withdrawn at any time. Your personal data will be passed on within our company exclusively to persons involved in processing your application.

If the application is successful, the data submitted by you will be stored in our data processing systems on the basis of Section 26 BDSG and Art. 6(1)(b) GDPR for the purpose of carrying out the employment relationship.

Retention period of the data

If we are unable to make you a job offer, you reject a job offer or you withdraw your application, we reserve the right to retain the data you have submitted on the basis of our legitimate interests (Art. 6(1)(f) GDPR) for up to 6 months from the end of the application process (rejection or withdrawal of the application). The data will then be deleted and the physical application documents destroyed. Retention serves in particular as proof in the event of a legal dispute. If it is evident that the data will be required after the expiry of the 6-month period (e.g. due to an imminent or pending legal dispute), deletion will only take place when the purpose for further retention no longer applies.

Longer retention may also take place if you have given your consent (Art. 6(1)(a) GDPR) or if statutory retention obligations prevent deletion.

10. Our social media presence

Data processing by social networks

We maintain publicly accessible profiles on social networks. The individual social networks we use can be found below.

Social networks such as Facebook, Twitter, etc. can usually comprehensively analyse your user behaviour when you visit their website or a website with integrated social media content (e.g. like buttons or advertising banners). Visiting our social media presence triggers numerous data protection-relevant processing operations. In detail:

If you are logged into your social media account and visit our social media presence, the operator of the social media portal can assign this visit to your user account. However, your personal data may also be collected if you are not logged in or do not have an account with the respective social media portal. In this case, this data collection takes place, for example, via cookies that are stored on your terminal device or by collecting your IP address.

With the help of the data collected in this way, the operators of the social media portals can create user profiles in which your preferences and interests are stored. In this way, interest-based advertising can be displayed inside and outside the respective social media presence. If you have an account with the respective social network, the interest-based advertising can be displayed on all devices on which you are logged in or were logged in.

Please also note that we cannot trace all processing operations on the social media portals. Depending on the provider, further processing operations may therefore be carried out by the operators of the social media portals. For details, please refer to the terms of use and privacy policies of the respective social media portals.

Legal basis

Our social media presence is intended to ensure the most comprehensive presence on the internet possible. This is a legitimate interest within the meaning of Art. 6(1)(f) GDPR. The analysis processes initiated by the social networks may be based on different legal bases, which are to be specified by the operators of the social networks (e.g. consent within the meaning of Art. 6(1)(a) GDPR).

Controller and assertion of rights

When you visit one of our social media presences (e.g. Facebook), we are jointly responsible with the operator of the social media platform for the data processing operations triggered during this visit. You can in principle assert your rights (information, correction, deletion, restriction of processing, data portability and complaint) both vis-à-vis us and vis-à-vis the operator of the respective social media portal (e.g. vis-à-vis Facebook).

Please note that despite the joint responsibility with the social media portal operators, we do not have full influence on the data processing operations of the social media portals. Our options are largely determined by the corporate policy of the respective provider.

Storage period

Data collected directly by us via the social media presence will be deleted from our systems as soon as you request us to delete it, withdraw your consent to its storage, or the purpose for the data storage no longer applies. Stored cookies remain on your terminal device until you delete them. Mandatory statutory provisions – in particular retention periods – remain unaffected.

We have no influence on the storage period of your data stored by the operators of the social networks for their own purposes. For details, please contact the operators of the social networks directly (e.g. in their privacy policy, see below).

Social networks in detail

Facebook

We have a profile on Facebook. The provider of this service is Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. According to Facebook, the data collected is also transferred to the USA and other third countries.

We have concluded an agreement with Facebook on joint processing (Controller Addendum). This agreement specifies which data processing operations we or Facebook are responsible for when you visit our Facebook page. You can view this agreement at the following link: https://www.facebook.com/legal/terms/page_controller_addendum.

You can adjust your advertising settings independently in your user account. To do so, click on the following link and log in: https://www.facebook.com/settings?tab=ads.

The data transfer to the USA is based on the EU Commission's Standard Contractual Clauses. Details can be found here: https://www.facebook.com/legal/EU_data_transfer_addendum and https://www.facebook.com/help/566994660333381.

For details, please refer to Facebook's privacy policy: https://www.facebook.com/about/privacy/.

Instagram

We have a profile on Instagram. The provider of this service is Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

The data transfer to the USA is based on the EU Commission's Standard Contractual Clauses. Details can be found here: https://www.facebook.com/legal/EU_data_transfer_addendum

We have a profile on LinkedIn. The provider is LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland. LinkedIn uses advertising cookies.

If you would like to deactivate LinkedIn advertising cookies, please use the following link: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

The data transfer to the USA is based on the EU Commission's Standard Contractual Clauses. Details can be found here: https://www.linkedin.com/legal/l/dpa and https://www.linkedin.com/legal/l/eu-sccs.

For details on how they handle your personal data, please refer to LinkedIn's privacy policy: https://www.linkedin.com/legal/privacy-policy.

Twitter

We use the short message service Twitter. The provider is Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland.

You can adjust your Twitter privacy settings independently in your user account. To do so, click on the following link and log in:
https://twitter.com/personalization.

The data transfer to the USA is based on the EU Commission's Standard Contractual Clauses. Details can be found here: https://gdpr.twitter.com/en/controller-to-controller-transfers.html.

For details, please refer to Twitter's privacy policy: https://twitter.com/en/privacy.

11. Information for international users (USA, Brazil)

The following sections contain supplementary information for users from certain jurisdictions outside the European Union. Regardless of your place of residence, the rights and obligations under the GDPR described in the preceding sections also apply to you. Where your rights under local laws overlap with those under the GDPR, we will grant you the more extensive protection in each case.

The Data Controller within the meaning of these international data protection laws is Umfulana GmbH, Karlheinz-Stockhausen-Platz 7, 51515 Kürten, Germany. You can submit requests to exercise your rights via two contact channels:

by email to our external Data Protection Officer: umfulana@five.consulting
by phone via our headquarters: +49 (0)2268 92298-0

Categories of personal information we process

In the past twelve months, depending on the specific use of our website and app, we have processed the following categories of personal information:

Identifiers – name, postal address, email address, phone number, IP address, device identifiers, customer number.
Customer records pursuant to § 1798.80(e) Cal. Civ. Code – contract and booking information, payment and billing data.
Commercial information – travel bookings, booking history, product interests.
Internet or other electronic network activity – log and usage data, click and search history within our website and app, push tokens.
Geolocation data – approximate location derived from IP address. We do not collect precise device location data; our app does not request this permission.
Inferences – travel preferences derived from your enquiries and bookings for the purpose of individual consulting.
Audio / visual information – only if you actively send us photos or voice messages.
Professional or employment-related information – exclusively in the application context (see separate privacy notice for applicants).

The purposes of the processing and the legal bases arise from the preceding sections of this privacy policy.

Sensitive personal information

To the extent that you voluntarily disclose health information to us during a travel booking (e.g. allergies, mobility restrictions, fitness to travel), we process this information exclusively on the basis of your express consent (Art. 9(2)(a) GDPR; § 1798.121 Cal. Civ. Code) for the purpose of contract performance. This data is not used to infer characteristics outside the travel context and is not shared with uninvolved third parties. You can withdraw your consent at any time.

We do not generally process data relating to race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data for unique identification, nor data concerning sex life or sexual orientation.

Sale or "sharing" of personal information

Umfulana does not sell your personal information within the meaning of the definitions under CCPA/CPRA, CPA, CTDPA, UCPA, VCDPA, TDPSA, MCDPA or OCPA. In particular, we do not receive monetary or other valuable consideration for the transfer of your data to third parties.

However, with your express consent, we use analytics and advertising technologies on our website (in particular the Meta Pixel and Google Analytics 4; see Section 6). These technologies transfer usage data to the respective providers, who may also use it for their own cross-context behavioural advertising. Under the broad definition of CCPA/CPRA and comparable US state laws, such data transfers may qualify as "sharing" or "sale", even though from our perspective they are used exclusively for reach measurement and advertising optimisation.

You have the right at any time to prohibit such "sharing" or "sale" (Right to Opt-Out of Sale or Sharing). You can exercise this right in the following ways:

via our consent management tool (cookie banner / "Settings" button at the bottom of the screen), where you can individually disable analytics and marketing services or withdraw your consent;
via a Global Privacy Control (GPC) signal from your browser, which we recognise as a valid opt-out and honour for the duration of the session;
by email to umfulana@five.consulting or by phone at +49 (0)2268 92298-0.

We do not knowingly disclose personal information to third parties for the purpose of sale or "sharing" if we have actual knowledge that the consumer is a minor under 16 years of age.

11.1 Information for users from California (CCPA/CPRA)

If you reside in California, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA), grants you the following rights:

Right to Know: You may request information about which categories of personal information we have collected about you, from which sources, for which purposes, with which categories of recipients we have shared them, and a copy of the specific personal information collected about you.
Right to Delete: You may request the deletion of the personal information we have collected about you, subject to statutory exceptions (e.g. retention obligations).
Right to Correct: You may request the correction of inaccurate personal information.
Right to Know If Sold or Shared: You have the right to know whether your data is sold or shared within the meaning of the CPRA. An explanation of the conditions under which the integration of advertising and analytics tags can be considered "sharing" or "sale" can be found above in the section "Sale or 'sharing' of personal information".
Right to Opt-Out of Sale or Sharing: You can object to such transfers at any time via our consent management tool, by submitting a Global Privacy Control signal from your browser, or by contacting us by email or phone. We will implement your objection without delay, no later than within 15 business days.
Right to Limit Use of Sensitive Personal Information: You can have the use of sensitive personal information limited to the extent necessary for contract performance.
Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights. In particular, we will not deny you services, charge you different prices or provide you with a lower quality of service.

To exercise your rights, please contact umfulana@five.consulting. We will verify your identity to a reasonable extent and generally respond to your request within 45 days. You may also designate an Authorized Agent to assert your rights on your behalf.

In the past twelve months, we have processed your personal information exclusively for the fulfilment of our contractual, statutory and legitimate business purposes. Disclosure to third parties takes place only to service providers / contractors as part of our activities as a tour operator, and to authorities where required by law.

11.2 Information for users from other US states

If you reside in Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Montana (MCDPA) or Oregon (OCPA), the respective state laws grant you comparable rights:

Right to Confirm Processing – confirmation of the processing of your personal data.
Right to Access: access to the data processed about you.
Right to Correct: correction of inaccurate data.
Right to Delete: deletion of your personal data where legally permissible.
Right to Data Portability: receipt of a copy of your data in a commonly used, machine-readable format.
Right to Opt-Out of the processing of your data for the purposes of targeted advertising, the sale of personal information, and automated profiling with significant legal or similarly material effects. Umfulana does not carry out any such profiling.
Right to Appeal: If we deny a request, you may appeal within a reasonable period. We will review the appeal and provide reasons within 60 days.

To exercise these rights or to file an appeal, please also contact umfulana@five.consulting.

11.3 Information for users from Brazil (LGPD)

If you reside in Brazil, the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais, LGPD, Law No. 13.709/2018) applies additionally to the processing of your personal data.

The Controller (Controlador) is Umfulana GmbH (address above). The Data Protection Officer (Encarregado de Proteção de Dados) is Klaus Pampuch, Five Consulting, Frankenforster Str. 44, 51427 Bergisch Gladbach, Germany, umfulana@five.consulting.

The processing of your data is based on the legal hypotheses set forth in Art. 7 LGPD, in particular for the performance of a contract, based on your consent, for compliance with legal obligations, and for the protection of our legitimate interests.

Pursuant to Art. 18 LGPD, you have the following rights:

confirmation of the existence of processing;
access to your data;
correction of incomplete, inaccurate or outdated data;
anonymisation, blocking or deletion of unnecessary, excessive or unlawfully processed data;
data portability to another provider, subject to commercial and trade secret protection;
deletion of data processed on the basis of consent, subject to the exceptions set forth in Art. 16 LGPD;
information about the public and private entities with which we have shared your data;
information about the possibility of refusing consent and the consequences of such refusal;
withdrawal of consent pursuant to Art. 8 § 5 LGPD.

You can also assert your rights via umfulana@five.consulting. In the event of complaints, the Brazilian supervisory authority (Autoridade Nacional de Proteção de Dados, ANPD) is also available to you.

Any transfer of your personal data from Brazil to Germany is based on the mechanisms permitted under Art. 33 LGPD, in particular using contractual safeguards or your express consent.