GDPR Information
Privacy Policy
Information on the processing of your personal data — Last updated: November 2026
Our hotels operate under German law. This privacy policy is governed by the EU General Data Protection Regulation (GDPR) and German data protection legislation.
1. Data Controller
The data controller responsible for processing your personal data under the GDPR is:
Nova Estate Operations GmbH
Elisabeth-Selbert-Strasse 19
40764 Langenfeld
Germany
Phone: +49 2116 355 1964
Email: info@nova-hotels.de
2. Data Protection Officer
You can reach our Data Protection Officer at:
Email: datenschutz@nova-hotels.de
3. What Data We Process
3.1 Personal Identification Data
- First and last name
- Address (street, postal code, city, country)
- Date of birth
- Nationality
- ID document data (type, number, issuing authority, validity)
- Contact details (mobile phone number, email address)
3.2 Travel Data
- Arrival and departure dates
- Room and booking details
- Companion data
- Purpose of travel (private/business)
3.3 Business Data (for business travel)
- Company name and address
- VAT identification number (VAT ID)
3.4 Image and Biometric Data
- Photo of your ID document when optionally captured via your smartphone camera
- Digital signature that you provide on the registration form
4. Legal Basis for Processing
We process your data on the following legal bases:
- Art. 6(1)(b) GDPR — performance of the accommodation contract
- Art. 6(1)(c) GDPR in conjunction with §§ 29 ff. of the German Federal Registration Act (Bundesmeldegesetz, BMG) — legal obligation to register accommodation guests
- Art. 6(1)(f) GDPR — legitimate interests, in particular for security, accounting, fraud prevention and access code generation
- Art. 6(1)(a) GDPR — consent, where required (e.g. for optional marketing communications)
5. Purpose of Data Processing
- Processing of your booking and the accommodation contract
- Compliance with the statutory registration obligation under BMG
- Invoicing and accounting
- Generation and delivery of your digital door code
- Communication with you about your stay
- Prevention of fraud, damage and misuse
6. Recipients of Your Data
Your data is shared, to the extent necessary, with the following recipients:
- Property Management System (PMS): Apaleo GmbH, Gmunder Str. 53, 81379 Munich, Germany
- Door lock service: TTLock (Sciener Co., Ltd.) — for generating your digital access code
- Messaging service: Trengo (for WhatsApp, SMS and email delivery), WhatsApp/Meta (for WhatsApp messages)
- Automation service: Make.com (Celonis SE)
- Database service: Airtable Inc.
- Tax advisors and auditors as part of our accounting
- Authorities, where required by law (e.g. police, tax authorities)
7. Data Transfers to Third Countries
Some of our service providers are based outside the EU. Such transfers are based on:
- EU Standard Contractual Clauses (Art. 46(2)(c) GDPR)
- Adequacy decisions of the European Commission
- Your explicit consent (Art. 49(1)(a) GDPR)
8. Retention Period
- Registration data (Meldeschein): 1 year after the end of your stay per § 30(4) BMG, then deleted
- Invoice data and tax-relevant records: 10 years per § 257 HGB and § 147 AO
- Photo of your ID document: automatically deleted 7 days after your departure
- Digital signature: stored together with the registration record and subject to the same retention period
- Access codes (door PINs): deactivated at the end of validity (departure date) and removed from the lock after 30 days
9. Your Rights as a Data Subject
Under the GDPR, you have the following rights:
9.1 Right of Access (Art. 15 GDPR)
You have the right to request information about the personal data we hold about you.
9.2 Right to Rectification (Art. 16 GDPR)
You have the right to request the correction of incorrect data or the completion of your data.
9.3 Right to Erasure (Art. 17 GDPR)
You have the right to request the deletion of your data, provided no statutory retention obligations stand against it.
9.4 Right to Restriction of Processing (Art. 18 GDPR)
You can request the restriction of the processing of your data.
9.5 Right to Data Portability (Art. 20 GDPR)
You have the right to receive your data in a structured, commonly used and machine-readable format.
9.6 Right to Object (Art. 21 GDPR)
You can object to the processing of your data where such processing is based on legitimate interests.
9.7 Withdrawal of Consent (Art. 7(3) GDPR)
If processing is based on your consent, you may withdraw it at any time with effect for the future.
10. Right to Lodge a Complaint with a Supervisory Authority
You have the right to file a complaint with a data protection supervisory authority. The competent authority for us is:
State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia
Kavalleriestraße 2–4
40213 Düsseldorf
Germany
Phone: +49 211 38424-0
Web: www.ldi.nrw.de
11. Data Security
We implement technical and organizational measures to protect your data from unauthorized access:
- TLS encryption for data transmission (HTTPS)
- Access restrictions on a need-to-know basis
- Regular security audits of our systems
- Staff trained in handling personal data
12. Automated Decision-Making
Automated decision-making within the meaning of Art. 22 GDPR that produces legal effects for you does not take place.
13. Obligation to Provide Data
The collection of registration data (Meldeschein) is required by law (§ 29 BMG). Without this data, we cannot accommodate you. The remaining data is required for contract performance — refusing to provide it will mean we cannot enter into the accommodation contract.
14. Changes to This Privacy Policy
We reserve the right to update this privacy policy when legal requirements or our processing activities change. The current version is always available at this address.
For questions about data protection, contact us at datenschutz@nova-hotels.de.