Contact

Privacy Policy

Last updated: 21 August 2025

1. Controller

5XPLR GmbH
Teichdamm 8, 07356 Bad Lobenstein, Germany
Represented by the Managing Director: Paolo A. Schepeler
Email (privacy): info@5xplr.com
Web: www.5xplr.com

A Data Protection Officer has not been appointed (not legally required at present). For any privacy matter, please contact us via the email above.

2. Categories of data, purposes, legal bases

Depending on your use of our services, we process:

  • Contact / master data (e.g., name, email, phone),
  • Contract / booking data (travel enquiry, travel dates, preferences),
  • Payment / billing data (processed primarily by payment service providers; see section 7),
  • Communication data (emails, WhatsApp/messages),
  • Usage / metadata (server logs, cookie IDs, time stamps, IP in truncated/anonymised form).

Purposes & legal bases (Art. 6(1) GDPR):
a) Website provision & IT security – legitimate interests (Art. 6(1)(f))
b) Handling enquiries & travel mediation (pre-contractual / contractual) – performance of a contract (Art. 6(1)(b))
c) Newsletter / email marketing – consent (Art. 6(1)(a)) and §7 UWG
d) Compliance with trade/tax retention duties – legal obligation (Art. 6(1)(c))
e) Cookies/Tracking (where used) – consent (Art. 6(1)(a)) and §25 TTDSG; essential cookies – legitimate interests(Art. 6(1)(f))

Special categories of data (Art. 9 GDPR):
Health-related information (e.g., intolerances, mobility assistance, special needs) is processed only if necessary and with your explicit consent under Art. 9(2)(a) GDPR (revocable at any time).

3. Hosting & server log files

Our hosting provider processes server log data (requested URL, date/time, transferred data, referrer, user agent, and IP in truncated/anonymised form) to ensure stability and security. Legal basis: Art. 6(1)(f) GDPR. Log data is stored briefly and then deleted/anonymised.

4. Contact forms, email, WhatsApp

If you contact us, we process your information to handle your enquiry and for mediation steps (Art. 6(1)(b) GDPR).
WhatsApp: If you contact us via WhatsApp, data is transmitted to WhatsApp/Meta and may be processed for their own purposes (including possible third-country transfers). Please do not send sensitive data via messenger; email is available as an alternative.

5. Travel mediation (we act as a travel intermediary)

We mediate travel services provided by third-party providers (e.g., airlines, hotels, car rentals, activities). For the performance of those services, we transmit the necessary data to the relevant provider (Art. 6(1)(b) GDPR). The provider is responsible for delivering the service.

6. Newsletter (double opt-in & performance tracking)

You may subscribe to our newsletter. Required field: email address. We use double opt-in: you will receive a confirmation email; your subscription becomes active only after you confirm.
We log subscriptions/unsubscriptions (time, IP truncated) for evidence purposes (Art. 6(1)(f)).
Performance measurement: Our newsletters may include tracking pixels and unique links to record open and click rates in order to improve content (Art. 6(1)(a) GDPR). You may withdraw consent at any time with future effect via the unsubscribe link in every email or by contacting us.

Suggested consent text (for your form):

“I would like to receive the 5XPLR GmbH email newsletter. I can withdraw my consent at any time with future effect (unsubscribe link in each email). For details, see the Privacy Policy.”

7. Payments via link (e.g., Stripe/PayPal)

When paying via a payment link, payment data is processed directly by the payment service provider (PSP); we do not receive full card details. Legal basis: Art. 6(1)(b) GDPR.
For security/fraud prevention, PSPs may conduct risk/credit checks and may share data with credit reference agencies in that context (see the PSP’s privacy notices). International transfers (e.g., to the USA) may occur; providers rely on appropriate safeguards (e.g., EU-US Data Privacy Framework and/or Standard Contractual Clauses).

8. Cookies & similar technologies (if used)

We use essential cookies necessary for basic site functionality (Art. 6(1)(f)).
We use analytics/marketing cookies and third-party technologies only with your consent (Art. 6(1)(a) GDPR; §25 TTDSG). You can change or withdraw your choices at any time via the cookie banner.
The specific tools used (e.g., analytics, maps, video embeds) will be listed transparently in the banner/this section once enabled.

9. Social media

We maintain online presences (e.g., Instagram, Facebook, LinkedIn, TikTok) for communication and information. The platforms’ privacy policies apply. Depending on the platform, page insights/statistics may be provided; in such cases, joint controllership with the platform operator under Art. 26 GDPR may apply. Our legal basis for communication/community management is Art. 6(1)(f) GDPR.

10. Processors, recipients, international transfers

We use service providers (e.g., hosting, newsletter dispatch, support, CRM) under data processing agreements(Art. 28 GDPR).
Where data is transferred outside the EU/EEA, we ensure an adequate level of protection (adequacy decision or Standard Contractual Clauses).

11. Storage periods

  • Enquiries/communications: typically 12 months after completion,
  • Contract/billing data: retained per commercial/tax law (typically 6–10 years),
  • Newsletter data: until consent is withdrawn; subscription logs retained for up to 3 years (evidence).

12. Security of processing

We implement appropriate technical and organisational measures (encryption, access controls, backups) to protect personal data against loss, misuse, and unauthorised access.

13. Your rights

Subject to the conditions of the GDPR, you have the right to:

  • Access (Art. 15), rectification (Art. 16), erasure (Art. 17),
  • Restriction of processing (Art. 18), data portability (Art. 20),
  • Object to processing based on Art. 6(1)(e/f) (Art. 21),
  • Withdraw consent at any time (Art. 7(3)), with future effect.

You also have the right to lodge a complaint with a data protection supervisory authority, in particular in your EU Member State of residence, place of work, or the place of the alleged infringement (e.g., Thuringia: TLfDI).

14. Obligation to provide data

Providing personal data is voluntary; however, certain information is required to handle enquiries and to mediatetravel services. Without it, we may be unable to provide the requested service.

15. Minors

Our services are not directed at persons under 16. For newsletter subscriptions by minors, consent of a parent/guardian is required.

16. Changes to this policy

We may update this policy if laws, our processes, or tools change. The current version is always available at www.5xplr.com.