en flag
Jetzt Urlaub buchen!
en flag
Jetzt Urlaub buchen!

Privacy Policy

1. Data Protection

General Information: The following notes provide a simple overview of what happens to your personal data when you visit our website. Personal data includes all data that can be used to identify you personally. Detailed information on data protection can be found in the privacy policy provided below this text.

Data Collection on Our Website: Data processing on this website is carried out by the website operator

Sascha Justus
Feldstraße 14
25826 St. Peter-Ording
Tel.: +49 (0)48 63 – 47 85 19
Email: info@hotelduenennest.de

How We Collect Your Data: Your data is collected, for one, by you providing it to us voluntarily. This usually happens when you use our contact form, make an online room booking through our booking calendar, or send us an inquiry by email.
Other data is collected automatically by our IT systems when you visit the website. This data is primarily technical information (e.g. internet browser, operating system, or the time the page was accessed). The collection of this data occurs automatically as soon as you enter our website.

What We Use Your Data For: We collect, process, and use personal data only to the extent necessary to establish, structure, or modify the contractual relationship. This is based on Article 6(1)(b) of the GDPR, which permits the processing of data for the performance of a contract or pre-contractual measures.
Other data may be collected automatically or with your consent when visiting the website by our IT systems. This mainly includes technical data (e.g. internet browser, operating system, or the time of page access). The collection of this data happens automatically as soon as you visit this website.

Your Rights Regarding Your Data: You have the right at any time to obtain free information about the origin, recipients, and purpose of your stored personal data. You also have the right to request the correction, blocking, or deletion of this data. For this purpose, and for further questions on the topic of data protection, you can contact us at any time at the address provided in the imprint. Furthermore, you have the right to lodge a complaint with the competent supervisory authority.

Analytics Tools and Tools from Third Parties: When visiting our website, your browsing behavior may be statistically analyzed. This is mainly done using cookies and so-called analytics programs. The analysis of your browsing behavior is generally anonymous; your behavior cannot be traced back to you personally. You can object to this analysis or prevent it by not using certain tools. Detailed information on this can be found in the following privacy policy.

2. General Information and Mandatory Disclosures

We, as the operators of this website, take the protection of your personal data very seriously. We handle your personal data confidentially and in accordance with statutory data protection regulations as well as this privacy policy.

When you use this website, various personal data is collected. Personal data refers to any information that can be used to personally identify you. This privacy policy explains what data we collect and for what purposes we use it. It also explains how and why this happens.

Please note that data transmission over the internet (e.g., via email communication) can have security gaps. Complete protection of data from third-party access is not possible.

Responsible Party for Data Processing on This Website:

  • Hotel garni DünenNest, Owner: Sascha Justus
    Feldstraße 14
    25826 St. Peter-Ording
    Tel.: +49 (0)4863-478519
    Email: info@hotelduenennest.de

The responsible party is the natural or legal person who, alone or jointly with others, determines the purposes and means of processing personal data (e.g., names, email addresses, etc.).

Data Retention Period: Unless a specific storage period is stated within this privacy policy, your personal data will remain with us until the purpose for processing the data no longer applies. If you assert a legitimate request for deletion or withdraw your consent to data processing, your data will be deleted, unless we are legally permitted or required to retain it (e.g., tax or commercial record-keeping obligations). In the latter case, deletion occurs once these legal obligations no longer apply.

Legal Basis for Data Processing on This Website:

  • If you have given consent to the processing of your personal data, we process it based on Art. 6 (1)(a) GDPR or Art. 9 (2)(a) GDPR if special categories of data under Art. 9 (1) GDPR are processed.

  • In the case of explicit consent to transfer personal data to third countries, processing also takes place under Art. 49 (1)(a) GDPR.

  • If you have consented to the storage of cookies or access to information on your device (e.g., via device fingerprinting), this processing additionally occurs based on § 25 (1) TDDDG. Consent can be revoked at any time.

  • If your data is necessary for the performance of a contract or for pre-contractual measures, processing is based on Art. 6 (1)(b) GDPR.

  • We also process your data when it is required to comply with a legal obligation, under Art. 6 (1)(c) GDPR.

  • Furthermore, data processing may occur based on our legitimate interests under Art. 6 (1)(f) GDPR.

  • Details on the applicable legal bases in each specific case are provided in the following sections of this privacy policy.

Recipients of Personal Data: In the course of our business activities, we collaborate with various external service providers. This may require transferring personal data to these external parties. We only share personal data with third parties when

  • it is necessary to fulfill a contract,

  • we are legally required to do so (e.g., tax authorities),

  • we have a legitimate interest as per Art. 6 (1)(f) GDPR, or

  • another legal basis permits the data transfer.


When we engage processors, we only disclose personal data based on a valid data processing agreement. In the case of joint processing, a joint controller agreement is concluded.

Withdrawal of Your Consent to Data Processing: Many data processing operations are only possible with your explicit consent. You may revoke your consent at any time with future effect by simply sending us an informal request. The lawfulness of data processing carried out before the withdrawal remains unaffected.

Right to Lodge a Complaint with the Supervisory Authority: If you believe your data protection rights have been violated, you have the right to lodge a complaint with the competent supervisory authority.

  • The responsible authority for data protection issues in our federal state is:

  • Independent Centre for Privacy Protection Schleswig-Holstein (ULD):
    Holstenstr. 98
    24103 Kiel, Germany
    Tel.: 0431 – 988 1200
    Fax: 0431 – 988 1223
    Email: mail@datenschutzzentrum.de
    Website: www.datenschutzzentrum.de

Right to Data Portability: You have the right to receive data that we process based on your consent or in fulfillment of a contract in a commonly used, machine-readable format. You may also request that this data be transferred directly to another controller, where technically feasible.

Access, Blocking, and Deletion: Within the limits of applicable law, you have the right to request free information about your stored personal data, its origin and recipients, and the purpose of processing, as well as the right to correction, blocking, or deletion of such data. For further questions about personal data, you can contact us anytime using the address provided in our imprint.
If deletion is not possible due to legal retention obligations, your data will be processed solely to fulfill these obligations.

Right to Restrict Processing: You have the right to request the restriction of processing of your personal data. You may contact us at any time to exercise this right. The right applies in the following cases

  • If you dispute the accuracy of your personal data, we need time to verify it. During the verification period, you may request restriction of processing.

  • If the processing of your personal data is unlawful, you may request restriction instead of deletion.

  • If we no longer need your data, but you require it to exercise or defend legal claims, you may request restriction instead of deletion.

  • If you have objected to processing under Art. 21 (1) GDPR, a balance must be struck between your and our interests. Until this balance is determined, you have the right to restrict processing.

  • If you have restricted the processing of your personal data, such data – apart from storage – may only be processed with your consent, to assert or defend legal claims, to protect the rights of another person, or for reasons of important public interest of the EU or a Member State.

SSL or TLS Encryption:

  • For security reasons and to protect the transmission of confidential content (e.g., bookings or inquiries you send to us as the site operator), this site uses SSL or TLS encryption. You can recognize an encrypted connection when the browser’s address bar changes from “http://” to “https://” and by the padlock icon in your browser’s address bar.

  • When SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

Encrypted Payment Transactions on This Website:

  • If, after concluding a paid contract, there is an obligation to provide us with your payment information (e.g., credit card number), this data is required for payment processing.

  • Payment transactions using common payment methods (Visa, MasterCard, American Express) are processed exclusively via an encrypted SSL or TLS connection. You can recognize an encrypted connection when the address bar of your browser switches from “http://” to “https://” and by the padlock symbol in your browser.

  • With encrypted communication, your payment details cannot be intercepted or read by third parties.


Objection to Promotional Emails: We hereby object to the use of contact data published in accordance with the legal notice requirements for sending unsolicited advertising and informational materials. The operators of these pages expressly reserve the right to take legal action in the event of unsolicited advertising, such as spam emails.

3. Data Collection on Our Website

3.1. Hosting

We host the content of our website with the following provider:

Hostinger International Ltd.
61 Lordou Vironos Street
6023 Larnaca, Cyprus
(hereinafter referred to as “Hostinger”).

Hostinger provides the technical infrastructure required for the operation and accessibility of our website. When you visit our website, all personal data generated in the course of use (e.g., IP address, access time, technical browser information, requested content) is processed on Hostinger’s servers.

The servers used by Hostinger are located exclusively in data centers within the European Union. According to the provider, customer websites are primarily hosted on servers located in Lithuania or Germany. A transfer of personal data to third countries does not generally take place. In exceptional cases where processing occurs outside the EU or EEA, it is conducted solely on the basis of the EU Commission’s Standard Contractual Clauses (Art. 46(2)(c) GDPR) to ensure an adequate level of data protection.

Hostinger stores technically necessary cookies that are required for the provision and security of the website (e.g., for load balancing and server stability). Further processing occurs only with your consent in accordance with Art. 6(1)(a) GDPR and § 25(1) TDDDG, where this includes access to information on the user’s device. Consent can be withdrawn at any time.

The use of Hostinger is based on Art. 6(1)(f) GDPR. We have a legitimate interest in the stable, fast, and secure provision of our website.

Data Processing Agreement:
We have entered into a Data Processing Agreement (DPA) with Hostinger pursuant to Art. 28 GDPR. This ensures that Hostinger processes personal data of our website visitors solely in accordance with our instructions and in compliance with applicable data protection laws.

Further information on Hostinger’s data protection practices can be found at:
https://www.hostinger.de/legal/datenschutzerklaerung

3.2. Cookies

Our website uses so-called “cookies.” Cookies are small data packets that do not harm your device. They are either stored temporarily for the duration of a session (session cookies) or permanently (persistent cookies) on your device. Session cookies are automatically deleted after your visit ends. Persistent cookies remain stored on your device until you delete them manually or your browser automatically removes them.

Cookies may be placed by us (first-party cookies) or by third parties (third-party cookies). Third-party cookies enable the integration of certain third-party services within websites (e.g., payment processing cookies).

Cookies serve various purposes. Many cookies are technically necessary because certain website features will not function without them (e.g., shopping cart or video playback). Other cookies are used for analyzing user behavior or for advertising purposes.

Cookies that are necessary for carrying out electronic communication, providing certain functions requested by you (e.g., shopping cart), or optimizing the website (e.g., measuring web audience) are stored on the basis of Art. 6(1)(f) GDPR, unless another legal basis is specified. The website operator has a legitimate interest in storing necessary cookies to ensure the technically error-free and optimized provision of its services.
If consent for the storage of cookies or similar recognition technologies is requested, processing is carried out exclusively on the basis of this consent (Art. 6(1)(a) GDPR and § 25(1) TDDDG). Consent can be revoked at any time.

You can configure your browser to inform you when cookies are set, to allow cookies only in individual cases, to exclude the acceptance of cookies in specific cases or in general, and to enable the automatic deletion of cookies when closing your browser. Disabling cookies may limit the functionality of this website.

3.3. Server Log Files

The website provider automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. These include:

  • Browser type and version

  • Operating system used

  • Referrer URL

  • Hostname of the accessing computer

  • Time of the server request

  • IP address

The basis for data processing is Art. 6(1)(f) GDPR, which permits the processing of data for the performance of a contract or for pre-contractual measures, as well as for ensuring the secure and stable operation of the website.

4. General Data Collection

4.1. Contact Form

If you send us inquiries via our contact form, your information from the inquiry form, including the contact details you provide there, will be stored by us for the purpose of processing your inquiry and for possible follow-up questions. We do not share this data without your consent.

The processing of this data is based on Art. 6 (1)(b) GDPR, insofar as your request is related to the fulfillment of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, processing is based on our legitimate interest in the effective handling of inquiries directed to us (Art. 6 (1)(f) GDPR) or on your consent (Art. 6 (1)(a) GDPR), where applicable. Consent can be withdrawn at any time.

The data you provide in the contact form will remain with us until you request its deletion, revoke your consent to storage, or the purpose for data storage no longer applies (e.g., after your inquiry has been fully processed). Mandatory statutory provisions, especially retention periods, remain unaffected.

4.2. Inquiry by Email, Telephone, or Fax

If you contact us by email, telephone, or fax, your inquiry, including all personal data resulting from it (name, inquiry details), will be stored and processed by us for the purpose of handling your request. We do not pass on this data without your consent.

The processing of this data is based on Art. 6 (1)(b) GDPR, insofar as your request is related to the fulfillment of a contract or necessary for the implementation of pre-contractual measures. In all other cases, processing is based on our legitimate interest in efficiently handling inquiries (Art. 6 (1)(f) GDPR) or on your consent (Art. 6 (1)(a) GDPR), where applicable. Consent can be withdrawn at any time.

The data you send us via inquiries will remain with us until you request deletion, revoke consent, or the purpose of data storage no longer applies (e.g., after your request has been processed). Statutory retention obligations remain unaffected.

4.3. Processing of Data (Customer and Contract Data)

We collect, process, and use personal customer and contract data to establish, define, and amend our contractual relationships. Personal data relating to the use of this website (usage data) is collected, processed, and used only to the extent necessary to enable or bill the user for the use of our services. The legal basis for this is Art. 6 (1)(b) GDPR.

The personal data collected from you in connection with a room booking includes:

  • Last name, first name

  • Address, postal code, city

  • Email address

  • Telephone number

  • For online bookings: credit card data

Your credit card will be verified during booking according to the European Payment Services Directive (PSD2) using two-factor authentication (SCA). PCI-compliant verification is carried out via the payment service provider Stripe (see Section 5 below).

After your departure, the information required under commercial and tax law will be stored for the legally prescribed periods, based on Art. 6 (1)(c) GDPR. These records are typically retained for ten years from the date of departure (§ 147 AO and § 257 HGB). During this period, the data is processed only for review by tax authorities, unless you have expressly consented to further processing.

Please note that your email address will not be used for advertising or bulk mail purposes.

4.4. Data Transmission in the Context of Contract Fulfillment for Services and Digital Content

We transmit personal data to third parties only when this is necessary in the course of contract fulfillment or based on legal obligations.

When you make a booking through online travel portals or via our online booking calendar, your personal data is processed through:

Viato GmbH
Industriestr. 51
79194 Gundelfingen, Germany

The booking system is integrated into our website but hosted by this external service provider. The personal data you provide is transferred and processed solely for the stated purpose, using SSL encryption and in strict accordance with contractual obligations. Viato processes this data on our behalf, is carefully selected, bound by our instructions, and regularly monitored for compliance with the GDPR.
We have concluded a Data Processing Agreement with Viato.

Viato also collects technical data about your access and stores it as server log files, including:

  • Website visited

  • Time of access

  • Amount of data sent (in bytes)

  • Source/referrer from which you arrived

  • Browser used

  • Operating system used

  • IP address used

This data is used solely for statistical evaluation and website improvement.

Your data will not be sold, rented, or otherwise made available to third parties. Transfers of personal data to government institutions occur only when required by mandatory national laws.

The legal basis for processing is Art. 6 (1)(b) GDPR, which permits the processing of data necessary for fulfilling a contract or pre-contractual measures.

For more information on Viato’s privacy practices, please visit:
https://www.viato.net/datenschutz/

4.5. Processing of Guest Data and Digital Registration Form

To fulfill the legal registration requirement under § 30 of the Federal Registration Act (BMG), we are required to collect certain personal data from our guests. This processing is carried out using the hotel management software 3RPMS® Hotelsoftware, operated by:

HaDre GmbH
Bauerngasse 32
90443 Nuremberg, Germany
Commercial Register Nuremberg HRB 31157
(hereinafter referred to as “3RPMS”).

We use 3RPMS as a data processor under Art. 28 GDPR, and have entered into a data processing agreement ensuring that all personal data is processed exclusively in accordance with our instructions and applicable data protection laws.

Within the framework of the digital registration form, we process the following personal data in accordance with § 30 BMG:

  • First and last name

  • Address

  • Date of birth

  • Nationality

  • Arrival and departure date

  • Number of accompanying guests

  • Where applicable, ID document number (for foreign guests)

The processing of this data is solely for the purpose of fulfilling the statutory registration obligation.
The legal basis is Art. 6 (1)(c) GDPR in conjunction with § 30 BMG.

The data is retained for one year after departure and then deleted or anonymized, unless longer retention is required by law. Storage and processing by 3RPMS take place on servers located within Germany. No data is transferred to third countries.

4.6. Data Transmission for the Issuance of the St. Peter-Ording Guest Card

Under § 4 (1) and (2) of the Municipal Code of Schleswig-Holstein, the municipality of St. Peter-Ording is authorized to levy a tourist tax (Kurabgabe).

According to § 10 of the local ordinance governing the collection of this tax, we as accommodation providers are required to transmit the following personal guest data to the Tourist Information Center St. Peter-Ording, an enterprise of the municipality, for the purpose of calculating the tax and issuing the guest card:

  • Arrival date

  • Departure date

  • Name (first and last)

  • Home address


The transmission is carried out online via the system operated by:

feratel media technologies AG
Maria-Theresien-Straße 8
6020 Innsbruck, Austria

Further information on data protection and the current tourist tax ordinance can be found at:
https://www.st-peter-ording.de/fileadmin/Mediendatenbank/03_PDFs/Docs_im_neuen_CD/Gaestekarte/Kurabgabesatzung-SPO_Stand_Dez_2022.pdf

5. Payment Processing & Payment Services

We use various payment service providers to ensure secure and efficient processing of cashless and online payments.
The processing of personal data complies with the requirements of the General Data Protection Regulation (GDPR), particularly based on Art. 6 (1)(b) GDPR (contract fulfillment) and, where a legitimate interest in secure payment processing exists, Art. 6 (1)(f) GDPR.
If certain processing activities require your consent (e.g., saving payment data for future use), processing is based on Art. 6 (1)(a) GDPR; such consent can be withdrawn at any time.

5.1. Payments via Stripe (Online Payments)

For online bookings and digital payments on our website, we use the payment service provider:

Stripe Payments Europe, Ltd.
1 Grand Canal Street Lower, Grand Canal Dock
Dublin 2, Ireland
(hereinafter “Stripe”)

Stripe processes payment data (e.g., name, billing address, credit card details, transaction amount, email address, IP address, device information) for the purpose of payment processing and fraud prevention.
Processing is carried out to fulfill the contract (Art. 6 (1)(b) GDPR) and in our legitimate interest in ensuring secure payment transactions (Art. 6 (1)(f) GDPR).

Stripe may transfer data to third countries, particularly the United States.
Such transfers are based on the EU Commission’s Standard Contractual Clauses (SCCs) pursuant to Art. 46 (2)(c) GDPR to ensure an adequate level of data protection.

Stripe acts partly as an independent controller (e.g., for compliance and fraud prevention) and partly as a processor (for technical payment processing on our behalf).
We have entered into a Data Processing Agreement (DPA) with Stripe.

Further information on data processing by Stripe:
🔗 https://stripe.com/de/privacy
🔗 https://stripe.com/de/guides/general-data-protection-regulation

5.2. On-Site Payments via SumUp (POS Terminal)

For card payments made on-site at our hotel (e.g., debit or credit card, NFC, Apple Pay, Google Pay), we use the payment service provider:

SumUp Payments Limited
Block 8, Harcourt Centre, Charlotte Way
Dublin 2, Ireland
(hereinafter “SumUp”)

When using the SumUp terminal, the following data required for payment processing (cardholder name, card number, expiration date, transaction amount, date and time, and possibly signature) are processed by SumUp.
Processing takes place for contract fulfillment (Art. 6 (1)(b) GDPR) and in our legitimate interest in secure and efficient payment handling (Art. 6 (1)(f) GDPR).

SumUp stores transaction data to comply with statutory record-keeping and verification obligations and for fraud prevention.
Data is generally processed within the European Union. In exceptional cases, data may be transferred to third countries (e.g., the USA or UK) under the EU Standard Contractual Clauses (SCCs).

Further information on data protection at SumUp:
🔗 https://www.sumup.com/de-de/datenschutzbestimmungen/

5.3. Responsibilities

Responsible for on-site payments (cash register / terminal):
Hotel garni DünenNest
Owner: Sascha Justus
Feldstraße 14, 25826 St. Peter-Ording
Phone: +49 (0)4863 / 478 519

Responsible for online payments (acquiring / payment processing):
Stripe Payments Europe Ltd., Dublin (Stripe)
SumUp Payments Limited, Dublin (SumUp)

5.4. Data Retention and Legal Storage Obligations

We store payment and billing data only as long as necessary for payment processing and any possible reversals.
Beyond that, billing-relevant data is retained to comply with commercial and tax record-keeping obligations pursuant to § 147 AO and § 257 HGB.
The regular retention period is ten years from the end of the fiscal year in which the payment occurred.
During this period, the data is reprocessed only for financial audits or to fulfill legal obligations (Art. 6 (1)(c) GDPR).

💡 Note: When you make a payment via Stripe or SumUp, your data is transmitted directly to the respective payment service provider.
Without this data transfer, payment cannot be completed. You may, of course, choose an alternative payment method (e.g., cash payment on-site).

6. Changes to This Privacy Policy

We reserve the right to modify our privacy practices and this policy in order to comply with changes in relevant laws or regulations, or to better meet your needs. Any updates to our privacy practices will be announced here. Please refer to the current version date of this privacy policy for reference.

St. Peter-Ording, November 1, 2025

© 2025. All rights reserved.

Feldstr. 14
25826 St. Peter-Ording
Mail: info(at)hotelduenennest.de
Phone: +49 4863-478519 (8 am to 1 pm)

Hotel garni DünenNest

Privacy Policy
Legal Notice
Accessibility Statement
Logo vom Hotel garni DünenNest in St. Peter-OrdingLogo vom Hotel garni DünenNest in St. Peter-Ording