Privacy policy

Last updated: May 23,2024

Thank you for your interest in the information on our website!

The terms used in our privacy policy and our data protection practices are based on the provisions of the EU General Data Protection Regulation ("GDPR") and other relevant national legislation.

Responsible within the meaningof the GDPR

GT7 Hospitality Holding GmbH
Austria

E: office@saltandhoney.at

Data collection on our website

On the one hand, personal data is collected from you if you expressly provide it to us; on the other hand, data, in particular technical data, is collected automatically when you visit our website. Some of this data is collected to ensure that our website functions correctly. Other data may be used for analysis purposes. However, you can generally use our website without having to provide any personal data.

Technologies on our website

Cookies and local storage

We use cookies on our website to make our internet presence more user-friendly and functional. Some cookies remain stored on your end device.  

Cookies are small data packets that are exchanged between your browser and our web serve rwhen you visit our website. They do not cause any damage and are only used to recognize website visitors. Cookies can only store information that is providedby your browser, i.e. information that you have entered into the browser yourself or that is available on the website. Cookies cannot execute code andc annot be used to access your end device.

The next time you visit our website with the same device, the information stored in cookies may subsequently be sent back either to us ("first-partycookie") or to a third-party web application to which the cookie belongs("third-party cookie"). Through the stored and returned information, the respective web application recognizes that you have already accessed and visited the website with the browser of your end device.   

Cookiescontain the following information:

• Cookie name
• Name of the server from which the cookie originated
• Cookie ID number
• A date on which the cookie is automatically deleted

Dependingon their intended use and function, we divide cookies into the followingcategories:  

• Technically necessary cookies to ensure the technical operation and basic functions of our website. This type of cookie is used, for example, to maintain your settings while you navigate the website; or they can ensure that important information is retained throughout the session (e.g. login, shopping cart).
• Statistics cookies to understand how visitors interact with our website by collecting and analyzing information anonymously only. This provides us with valuable insights to optimize both the website and our products and services.
• Marketing cookies to set targeted advertising activities  for users on our website.  
• Unclassified cookies are cookies that we are currently trying to classify  together with providers of individual cookies.  

Dependingon the storage period, we also divide cookies into session and persistent cookies. Session cookies store information that is used during your current browser session. These cookies are automatically deleted when you close your browser. No information remains on your end device. Persistent cookies store information between two visits to the website. This information is used to recognize you as a returning visitor on your next visit and the website responds accordingly. The lifespan of a permanent cookie is determined by the provider of the cookie.  

The legal basis for the use of technically necessary cookies is based on our legitimate interest in the technically flawless operation and smooth functionality of our website. Our website cannot function properly without these cookies. The use ofstatistics and marketing cookies requires your consent. You can revoke yourconsent to the use of cookies at any time for the future. Consent is voluntary.If it is not given, there are no disadvantages. Further information about thecookies we actually use (in particular about their purpose and storageduration) can be found in this privacy policy and in the information about thecookies we use in our cookie banner.

You can also set your Internet browser so that the storage of cookies on your device isgenerally prevented or you are asked each time whether you agree to the settingof cookies. Once cookies have been set, you can delete them at any time. You can find out how all this works in detail in the help function of your browser.   

Please notet hat a general deactivation of cookies may lead to functional restrictions onour website. Third parties cannot access the data stored in local storage. If special plugins ortools use the local storage functions, this is described in the respectiveplugin or tool.

If you do not want plugins or tools to use local storage functions, you can control this in the settings of your respective browser. We would like to point out that this may result in functional restrictions.

Google Fonts

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parentcompany Google LLC (USA), https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt000000001L5AAI&status=Active
Purpose: Integration of fonts
Category: Statistics
Recipient: EU, USA (possible)
Processed data: IP address, language settings, screen resolution, version andname of the browser
Data subjects: Website visitors
Technology: JavaScript call
Legal basis: Consent, Data Privacy Framework
Website: www.google.com
Further information: https://www.google.com/about/datacenters/inside/locations/

Our website uses so-called web fonts provided by Google for the uniform display of fonts.

To displayweb fonts from Google, the browser you are using must connect to Google'sservers. As a result, Google becomes aware that our website has been accessedvia your IP address. Google also stores the IP address of the browser of theend device of the visitor to our website. If your browser does not support webfonts, a standard font will be used by your device.

In addition to the IP address, information such as language settings, screenresolution, version and browser name are automatically transmitted to Googleservers with every Google font request. Google can use the collected usage datato determine the popularity of fonts. Google publishes the results on internalanalysis pages (e.g. Google Analytics).

With GoogleFonts, we can use fonts on our own website and do not have to upload them toour server. Google Fonts is an important component in keeping the quality ofour website high. All Google fonts are automatically optimized for the web,which saves data volume and is a great advantage, especially when using mobiledevices. When you visit us, the low file size ensures a fast loading time.Furthermore, Google Fonts are secure web fonts and support all common browsers.

Googlestores requests for CSS assets on its servers for one day. This enables us touse the fonts with the help of a Google stylesheet. The font files are storedby Google for one year. To delete data prematurely, you must contact Googlesupport ( https://support.google.com ).

Hosting

As part of the hosting of our website, all data to be processed in connection with the operation of our website is stored. This is necessary to enable the operationof the website. We therefore process the data accordingly on the basis of our legitimate interest in optimizing our website offering. To provide our online presence, we use the services of web hosting providers to whom we make the above-mentioned data available as part of order processing.

Contact us

When youcontact us, your data will be used to process the contact request and its handling in the context of the fulfillment of pre-contractual rights and obligations. The processing of your data is necessary for processing and answering your request, otherwise we will not be able to answer your request or only to a limited extent. The data may be stored in a customer and prospect database on the basis of our legitimate interest in direct marketing.

We will delete your inquiry and your contact data if your inquiry has been conclusively answered and there are no statutory retention periods to prevent deletion, e.g.in the context of subsequent contract processing. This is usually the case ifthere has been no further contact with you for three years.

Server log files

Fortechnical reasons, in particular to ensure a functional and secure Internetpresence, we process technically necessary data about access to our website inso-called server log files, which your browser automatically transmits to us.

The accessdata that we process includes

• Name of the website accessed  
• Browser type used incl. version
• Operating system used by the visitor
• the page previously visited by the visitor (referrer URL)
• Time of the server request
• Amount of data transferred
• Host name of the accessing computer (IP address used)

This datais not assigned to any natural persons and is only used for statistic evaluations and for the operation and improvement of our website as well as forthe security and optimization of our Internet offer. This data is only transmitted to our website host. This data is not combined or merged with other data sources. If there is any suspicion of unlawful use of our website, we reserve the right to check this data retrospectively. The data processing is based on our legitimate interest in the technically error-free presentation and optimization of our website.

The access data is deleted shortly after the purpose has been fulfilled, usually after afew days, unless further storage is required for evidence purposes. Otherwise, the data is stored until an incident has been finally clarified.

SSL encryption

When you visit our website, we use the widely used SSL (Secure Socket Layer) method inconjunction with the highest level of encryption supported by your browser. You can tell whether an individual page of our website is transmitted inencrypted form by the closed display of the key or lock symbol in the statusbar of your browser. The use of this procedure is based on our legitimate interest in the use of suitable encryption techniques.

We also use suitable technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss,destruction or unauthorized access by third parties. Our security measures are continuously improved in line with technological developments and kept up to date with the state of the art.

General information on dataprotection

The following provisions apply not only to the collection of data on our website,but also to the processing of personal data in general.

Personal data

Personal data is information that can be assigned to you individually. Examples of thisinclude your address, name, postal address, e-mail address or telephone number. Information such as the number of users who visit a website is not personal data because it cannot be assigned to an individual person.

Legal basis for the processingof personal data

Unless more specific information is provided in this privacy policy (e.g. for the technologies used), we may process your personal data on the basis of the following legal bases:

• Consent pursuant to Art. 6 para. 1 lit. a GDPR - the data subject has given their consent to the processing of their personal data for one or more specific purposes.
• Performance of a contract and pre-contractual measures pursuant to Art. 6 para. 1 lit. b GDPR - Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps prior to entering into a contract.
• Legal obligation pursuant to Art. 6 para. 1 lit. c GDPR - Processing is necessary for compliance with a legal obligation.
• Protection of vital interests pursuant to Art. 6 para. 1 lit. d GDPR - Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
• Legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR - Processing is necessary for the purposes of the legitimate interests pursued by the controller(s) or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

Please note that in addition to the provisions of the GDPR, the national data protection regulations in your or our home country may apply.

Transmission of personal data

Your personal data will not be transferred to third parties for purposes other thanthose listed in this privacy policy.

We only pass on your personal data to third parties if:

• you have given your express consent in accordance with Art. 6 para. 1 lit. a GDPR,
• the disclosure pursuant to Art. 6 para. 1 lit. f GDPR is ecessary to safeguard legitimate interests and to assert, exercise     or defend legal claims and there is no reason to assume that you have an overriding interest worthy of protection in not disclosing your data,
• there is a legal obligation for the disclosure pursuant to Art. 6 para. 1 lit. c GDPR and this is permitted by law and / or
• it is necessary for the processing of contractual relationships with you in accordance with Art. 6 para. 1 lit. b GDPR.

Cooperation with processors

Wecarefully select our service providers who process personal data on our behalf.If we commission third parties to process personal data on the basis of anorder processing contract, this is done in accordance with Art. 28 GDPR.

Transfer to third countries

If we process data in a third country or if this occurs in the context of the use of third-party services or disclosure or transfer of data to other persons orcompanies, this will only take place on the basis of the legal bases described above for the transfer of data.

Subject to express consent or contractual necessity, we process or have the data processed in accordance with Art. 44-49 GDPR only in third countries with a level of data protection recognized as adequate or on the basis of special guarantees, such as a contractual obligation through so-called standard contractual clauses of the EU Commission, the existence of certifications or binding internal dataprotection regulations.

Data transfer to the USA

We would like to expressly point out that on July 10, 2023, the EU Commission issued anadequacy decision on the EU-US data protection framework in accordance with Art. 45 para. 1 GDPR. Accordingly, organizationsor companies (as data importers) in the USA that are registered in a publiclist as part of the self-certification of the Data Privacy Framework offer an adequate level of protection for data transfers. You can find out whether the specific provider of a service is already certified here: https://www.dataprivacyframework.gov/s/participant-search

The Data Privacy Framework provides a valid legal basis for the transfer of personal data to the USA. This creates binding safeguards to meet all the requirementsof the ECJ; for example, it provides that access by US intelligence services to EU data is limited to what is necessary and proportionate and that a data protection review court is created to which individuals in the EU also have access.

If we transfer data to the USA at all or if we use a service provider based in the USA, we explicitly refer to this in this privacy policy (see in particular thedescription of the technologies on our website).

It shouldbe noted that apart from significant improvements, the Data Privacy Frameworkis only partially applicable and only applies to data transfers to those dataimporters in the US that appear on the public list of certified organizations /companies.

What canthe transfer of personal data to the USA mean for you as a user and what arethe risks in this context?

Risks foryou as a user:in as far as data importers in the USA are concerned, which arenot covered by the Data Privacy Framework, are in any case the powers of the USintelligence services and the legal situation in the USA, which currently,according to the ECJ, no longer ensure an adequate level of data protection.These include the following points:

• Section 702 of the Foreign Intelligence Surveillance Act (FISA) provides no restrictions on the surveillance activities of the     intelligence agencies and no safeguards for non-US citizens.
• Presidential Policy Directive 28 (PPD-28) does not provide affected persons with effective legal remedies against measures taken by the US     authorities and does not provide for any limits to ensure proportionate measures.
• the ombudsman's office provided for in the Privacy Shield does not have sufficient independence from the executive; it cannot issue binding     orders to the intelligence services.

Legally compliant transfer of data to the USA on the basis of the standard contractualclauses for data importers not covered by the Data Privacy Framework?

In June 2021, the European Commission adopted new Standard Contractual Clauses (SCCs) in Decision 2021/914/EU. These create a new legal basis for data transfers where the level of data protection is not the same as in the EU.

Legally compliant transfer of data to the USA on the basis of consent?

If data is transferred to a service provider based in the USA that is not covered by the Data Privacy Framework and this data transfer is based on explicit consent, we will provide explicit information about this in this privacy policy, inparticular in the description of the technologies used on our website.

What measures do we take to ensure that data transfers to the USA are legallycompliant?

Where US providers offer the option, we choose to process data on EU servers. This should technically ensure that the data is located within the European Unionand cannot be accessed by US authorities.

Storage period in general

If no explicit storage period is specified when data is collected (e.g. as part of adeclaration of consent), we are obliged to delete personal data in accordancewith Art. 5 para. 1 lit. e GDPR as soon as the purpose of its processingno longer exists. In this context, we would like to point out that statutoryretention obligations to which we are subject constitute a legitimate purposefor the further processing of the personal data collected.

In principle, we store and retain data in personal form until the end of a business relationship or until the expiry of applicable guarantee, warranty or limitation periods, and beyond that until the end of any legal disputes in which the data is required as evidence, or in any case until the end of the third year after the last contact with a business partner.

Storage duration in particular

As part of the description of individual technologies on our website, you will find specific information on the storage duration of data. Our cookie table informsyou about the storage duration of individual cookies. In addition, you alwayshave the option of asking us directly about the specific storage duration ofdata. To do so, please use the contact details provided in this privacy policy.

Rights of data subjects

Affectedpersons have the right:

• (i) in accordance with Art. 15 GDPR, to request information  about your personal data processed by us. In particular, you can request information about the purposes of processing, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right to lodge a complaint, the origin of your data if it was not collected by us, and the existence of automated decision-making including profiling and, if applicable, meaningful information about its details;
• (ii) in accordance with Art. 16 GDPR, to immediately request the correction of incorrect or incomplete personal data stored by us;
• (iii) in accordance with Art. 17 GDPR, to request the deletion of your personal data stored by us under certain circumstances, unless the processing is necessary to exercise the right to freedom of expression and information, to fulfill a legal obligation, for reasons of publicinterest or to assert, exercise or defend legal claims;
• (iv) in accordance with Art. 18 GDPR, to demand the (temporary) restriction of the processing of your personal data if the accuracy of the data is disputed by you, the processing is unlawful but you refuse to delete it, we no longer need the data but you need it to assert, exercise or defend legal claims or you have lodged an objection to the processing in accordance with Art. 21 GDPR;
• (v) in accordance with Art. 20 GDPR, to receive from us your personal data that you have provided to us in a structured, commonly used and machine-readable format or to request that it be transmitted directly to another controller; however, this only covers your personal data that we process with the aid of automated procedures on the basis of your consent or on the basis of a contract;
• (vi) pursuant to Art. 21 GDPR, insofar as your personal data is processed on the basis of our legitimate interest, to object to the processing of your personal data, provided that there are reasons for this arising from your particular situation or the objection is directed against direct advertising. In the latter case, you have a general right to object, which will be implemented by us without specifying a particular situation;
• (vii) in accordance with Art. 7 (3) GDPR, to withdraw your consent once given to us at any time. As a result, we may no longer continue the data processing that was based on this consent in the future. Among other things, you have the option of revoking your consent to the use of cookies on our website with effect for the future by accessing our cookie settings;
• (viii) pursuant to Art. 77 GDPR, to lodge a complaint with a supervisory authority regarding the unlawful processing of your data by us. As a rule, you can contact the supervisory authority of your usual place of residence or workplace or our company headquarters.

The competent supervisory authority for GT7 Hospitality Holding GmbH is

Austrian Data Protection Authority
Barichgasse 40-42, 1030 Vienna, Austria
Phone: +43 1 52 152-0, dsb@dsb.gv.at

Assertion of data subject rights

You decide on the use of your personal data. Should you therefore wish to exercise any of the above rights against us, you are welcome to contact us by e-mail at office@saltandhoney.at or by post or telephone.

Please help us to clarify your request by answering questions from our responsible employees regarding the specific processing of your personal data. If there are reasonable doubts about your identity, we may request a copy of your ID.

If you haveany questions about data protection, please contact us at office@saltandhoney.at or using the other contactdetails provided in this privacy policy.