Privacy Policy

The controller within the meaning of Art. 4 No. 7 GDPR is:

MBoutique GmbH & Co. KG Nazarethkirchstraße 51 13347 Berlin Germany

Email: info@charlie-m.de

An internal data protection officer has been appointed. The data protection officer can be contacted via the above address.

This Privacy Policy informs you about the processing of personal data in connection with:

• the operation of our website,

• booking and provision of hotel accommodation,

• the fully automated check-in process,

• the use of digital access systems,

• communication with guests (email, telephone, WhatsApp),

• payment processing,

• analysis and optimisation of hotel operations.

Personal data means any information relating to an identified or identifiable natural person.

We process personal data exclusively in accordance with the GDPR, in particular on the basis of:

• Art. 6(1)(a) GDPR - consent

• Art. 6(1)(b) GDPR - performance of a contract / pre-contractual measures

• Art. 6(1)(c) GDPR - legal obligation

• Art. 6(1)(d) GDPR - legitimate interest

Our services are directed at adults.

Minors may only stay at our hotel when accompanied by their legal guardians.

No independent processing of personal data of minors takes place.

In the context of booking and accommodation, we process in particular the following data:

• first and last name

• email address

• telephone number

• billing and, if applicable, company address

• stay details (arrival and departure dates, room assignment)

• booking and payment references

Purpose: Conclusion, performance and settlement of the accommodation contract.

Legal basis: Art. 6(1)(b) GDPR.

For guests who are not German nationals, registration data is processed in accordance with Sections 29 et seq. of the German Federal Registration Act (Bundesmeldegesetz).

Legal basis: Art. 6(1)(c) GDPR in conjunction with Sections 29 and 30 BMG.

Retention period: One year from the date of departure; deletion within three months thereafter.

For the management of bookings, stays, guest data and internal hotel operations, we use the property management system apaleo GmbH.

Provider: apaleo GmbH Dachauer Straße 15A 80335 Munich Germany

The following personal data is processed via Apaleo in particular:

• name

• contact details

• booking and stay information

• room and stay allocation

• billing and, where applicable, company information

Purpose: Proper management of hotel operations and performance of accommodation contracts.

Legal basis: Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR.

Apaleo acts as a data processor within the meaning of Art. 28 GDPR.

A corresponding data processing agreement has been concluded.

Processing takes place exclusively on servers within the European Union.

We use Guestway to provide a fully automated check-in process.

The following data may be processed:

• name

• contact details

• booking and stay information

• identification data (uploaded or manually entered), where required

Purpose: Execution of the check-in process and fulfilment of legal obligations.

Legal bases: Art. 6(1)(b) GDPR Art. 6(1)(c) GDPR

Identification data is stored only for as long as legally required and then deleted.

The check-in process is fully automated.

No automated decision-making within the meaning of Art. 22 GDPR takes place.

We use SALTO KS for digital access control.

The following data is processed:

• guest name

• stay period

• room allocation

• access logs (time and date of door access)

Purpose: Security, traceability and proper hotel operation.

Legal basis: Art. 6(1)(f) GDPR.

Access logs are stored only for a limited period and deleted unless security-related incidents require longer retention.

Access is restricted to management only.

Payment processing is carried out via Adyen.

Adyen acts as an independent controller within the meaning of the GDPR.

Legal basis: Art. 6(1)(b) GDPR.

We do not receive complete payment details (e.g. full credit card numbers).

We communicate with guests via:

• email

• telephone

• WhatsApp Business (via WhatsApp Ireland Ltd. and Twilio)

Communication serves:

• performance of the accommodation contract,

• handling of enquiries,

• guest support during the stay,

• post-stay communication (e.g. feedback).

Legal bases: Art. 6(1)(b) GDPR Art. 6(1)(f) GDPR Art. 6(1)(a) GDPR (WhatsApp)

Consent to WhatsApp communication may be withdrawn at any time.

Pre-stay, during-stay and post-stay messages may be sent automatically.

Support enquiries are stored and analysed to improve service quality and internal processes.

Legal basis: Art. 6(1)(f) GDPR.

When visiting our website, the following data is processed:

• IP address

• date and time of access

• accessed pages

• browser and operating system data

Purpose: Ensuring stability and security of the website.

Legal basis: Art. 6(1)(f) GDPR.

Retention period: Maximum of 14 days.

We use Google Analytics exclusively with IP anonymisation enabled.

• no profiling

• no remarketing

• no merging with other data

Legal basis: Art. 6(1)(a) GDPR (consent).

We use:

• technically necessary cookies (Art. 6(1)(f) GDPR),

• analytics cookies only with consent (Art. 6(1)(a) GDPR).

Data processing takes place exclusively on servers located within the European Union.

Regular backups are created and deleted after defined retention periods.

Personal data is deleted once the respective purpose no longer applies and no statutory retention obligations exist.

Data subjects have the right to:

• access (Art. 15 GDPR)

• rectification (Art. 16 GDPR)

• erasure (Art. 17 GDPR)

• restriction of processing (Art. 18 GDPR)

• data portability (Art. 20 GDPR)

• objection (Art. 21 GDPR)

• withdrawal of consent at any time (Art. 7(3) GDPR)

Berlin Commissioner for Data Protection and Freedom of Information

https://www.datenschutz-berlin.de

We reserve the right to amend this Privacy Policy with effect for the future in the event of legal or technical changes.