Data protection | Privacy

Status: April 2026

With the following information we inform you about the processing of personal data when using our website www.vip-tickets-only.com as well as in the context of our enquiry, booking, passport and placement processes. The processing is carried out in accordance with the of the General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG) and the TDDDG.

1. responsible person

The controller within the meaning of the GDPR is:

VTO Elite Hospitality UG (limited liability)
Breitscheidstraße 59
15827 Blankenfelde-Mahlow
Germany

E-Mail: office@vto-elite-hospitality.com
Represented by the managing director: Dirk Ninnemann

2. Principles of data processing

We process personal data only to the extent necessary to provide a functional website, to process enquiries, to fulfil contracts including passport memberships, to fulfil legal obligations or to protect legitimate interests. Insofar as we obtain consent for certain processing operations, the processing is carried out on the basis of Art. 6 para. 1 lit. a GDPR; consent given can be revoked at any time with effect for the future. be revoked at any time with effect for the future.

3. Purposes of data processing and legal bases

We process personal data in particular for the following purposes and on the following legal bases:

• Provision of tickets and hospitality services, Processing customer enquiries, processing of bookings and projects, preparation and dispatch of quotations and invoices
  – Legal basis: Art. 6(1)(b) GDPR
• Management of passport memberships (Gold, Platinum, Elite), including contract term, automatic renewal, payment monitoring, dunning and debt collection
  - Legal basis: Art. 6 para. 1 lit. b GDPR, Art. 6 para. 1 lit. f GDPR
• payment processing (e.g. via Stripe, bank transfer)
  – Legal basis: Art. 6(1)(b) GDPR
• Automated process control (e.g. via Zapier, possibly Make.com), internal organisation (e.g. Google Workspace)
  - Legal basis: Art. 6 para. 1 lit. b GDPR, Art. 6 para. 1 lit. f GDPR
• Communication with customers and interested parties (e.g. by email, telephone, WhatsApp Business)
  - Legal basis: Art. 6 para. 1 lit. b GDPR, Art. 6 para. 1 lit. f GDPR
• Telephone pre-tuning, callback qualification and digital private client assistance (e.g. via Retell AI and Twilio), including call acceptance, callback, call notes, transcription and internal forwarding to the Private Client Service
  - Legal basis: Art. 6 para. 1 lit. b GDPR, Art. 6 para. 1 lit. f GDPR; insofar as consent is obtained, Art. 6 para. 1 lit. a GDPR
• newsletter dispatch (via rapidmail) and marketing communications
  - Legal basis: Art. 6 para. 1 lit. a GDPR
• Provision of the website and IT security (e.g. log files, hosting, abuse defence)
  - Legal basis: Art. 6 para. 1 lit. f GDPR
• Reach measurement, statistics and tracking (e.g. using cookies, Google Analytics)
  - Legal basis: Art. 6 para. 1 lit. a GDPR in conjunction with § 25 TDDDG
• Compliance with legal obligations (e.g. tax retention obligations)
  – Legal basis: Art. 6(1)(c) GDPR

4. Categories of personal data processed

Depending on the process, we process the following categories of personal data in particular:

• Master data (name, title, position/title if applicable)
• Contact details (address, email, telephone number)
• Company details (company name, VAT ID, billing address)
• Form data from online forms (e.g. event, date, passport model, number of tickets, price, payment method)
• Booking and contract details (offer number, invoice number, passport validity, renewal)
• Payment data (e.g. payment status, payment method; card data only by Stripe)
• Communication data (e-mail content, telephone notes, WhatsApp chats)
• Telephony and call data in the context of telephone pre-agreements, callbacks and AI-supported assistance, including call notes, transcripts, summaries and technical connection data
• Newsletter data (e-mail address, opening and clicking behaviour, if consented to)
• Technical data and logs (IP address, browser type, operating system, access times, referrer URL)
• Cookie IDs and online identifiers, provided you consent

5. Origin of the data

As a rule, we receive the data directly from you when you use our website, fill out a form, make bookings, apply for pass memberships or get in touch with us.

Data may also originate from the following sources:

• technical systems and tools (e.g. payment service providers, automation services, newsletter tool),
• public sources (e.g. company registers, your company's website), where necessary.

6. Processing via forms (e.g. Elementor Forms)

We use forms on our website to record enquiries, bookings and passport applications. Mandatory fields are labelled as such. If this information is not provided the enquiry or booking may not be processed.

Depending on the purpose, the following data in particular is collected via the forms:

• Name, title, company (if applicable)
• Address and contact details
• Event and booking information (e.g. event, date, number of tickets, areas)
• Pass membership details (e.g. desired model: Gold, Platinum, Elite)
• Price and payment information (e.g. total amount, preferred payment method)
• Optional comments and special requests

The legal basis for the processing is Art. 6 para. 1 lit. b GDPR and - in the case of voluntary information - Art. 6 para. 1 lit. a GDPR. Art. 6 para. 1 lit. a GDPR.

7. Payment processing via Stripe

For credit card payments, we use the payment service provider Stripe Payments. If you select the „credit card“ payment method or use a Stripe checkout link, your data (e.g. name, email address, invoice amount (e.g. name, e-mail address, invoice amount, invoice number and IP address) are transmitted to Stripe. Card data is only collected and processed directly by Stripe; we do not receive this data.

Service provider:

Stripe Payments Europe Ltd.
1 Grand Canal Street Lower
Dublin, Ireland

The processing is carried out on the basis of Art. 6 para. 1 lit. b GDPR and Art. 6 para. 1 lit. f GDPR. Stripe may transfer data to third countries, in particular the USA. Such transfers take place according to Stripe, on the basis of suitable guarantees such as standard contractual clauses and - where relevant on the basis of the EU-U.S. Data Privacy Framework.

For further information, please refer to Stripe's privacy policy: https://stripe.com/de/privacy

8. Automated processing via Zapier (and Make.com, if applicable)

For the automation of business processes (e.g. processing of form submissions, generation of Stripe payment links, creation of automated offers and invoices, transfer of booking and contract booking and contract data in Google Sheets or Google Docs), we use the service Zapier In individual cases, comparable processes may also be carried out via Make.com be displayed.

Service provider:

• Zapier Inc., 548 Market St #62411, San Francisco, CA 94104, USA
• (optional) Make Group a.s. / Celonis, Inc. – „Make“ platform, based in Czechia/USA, among other locations

In particular, the following data may be processed and transferred between systems:

• Form and booking details (e.g. name, contact details, event, pass model, number of tickets, prices)
• Invoice, quotation and payment data (e.g. invoice number, due date, payment status)
• Technical metadata (e.g. times, internal IDs) for controlling workflows

The legal bases are Art. 6 para. 1 lit. b GDPR and Art. 6 para. 1 lit. f GDPR. Data transfers to third countries, in particular to the USA, are carried out on the basis of Art. 46 GDPR (e.g. standard contractual clauses) and - where relevant - additionally on the basis of suitable certifications.

Privacy policy Zapier: https://zapier.com/privacy
Information about Make: https://www.make.com/en/privacy-notice

8a. Telephone pre-tuning, AI assistance, Retell AI and Twilio

To pre-arrange premium hospitality enquiries by telephone, to answer incoming calls, calls, to carry out desired callbacks and for structured forwarding to our Private Client Service we can use digital telephony and AI assistance systems. These include in particular Retell AI for AI-supported language assistance, conversation management, transcription and summarising conversations and Twilio for telephony infrastructure, phone numbers, call setup and call forwarding.

As part of this telephone pre-arrangement, Victoria, our digital private client assistant, contact you by telephone in connection with your enquiry or answer incoming calls. Victoria is used for the structured recording and pre-qualification of your premium hospitality enquiry. A final check, quotation, price confirmation, availability confirmation, reservation or booking is not carried out by Victoria. by Victoria, but exclusively by our Private Client Service or by authorised employees. authorised employees.

In this context, the following data in particular may be processed:

• Master data and contact details such as name, title, e-mail address, telephone number and, if applicable, company
• Details from your enquiry such as event, event date, desired category, number of guests or seats, budget and special requests
• Telephony data such as called or calling number, time, duration, connection status and technical metadata
• Contents of the conversation, insofar as these are discussed during the preliminary telephone consultation
• Transcripts, call summaries, call notes and qualifiers for internal processing by Private Client Service
• Information on whether written feedback, a personal callback or a further examination is required

The processing is carried out to process your enquiry, to carry out pre-contractual measures, for the efficient organisation of our private client process and for internal quality and process assurance. The legal bases are Art. 6 para. 1 lit. b GDPR, insofar as the processing is necessary for the implementation of pre-contractual measures or to process your enquiry, and Art. 6 para. 1 lit. f GDPR on the basis of our our legitimate interest in efficient, structured and high-quality processing of premium hospitality enquiries. premium hospitality enquiries. Insofar as express consent is obtained, the processing is carried out is also carried out on the basis of Art. 6 para. 1 lit. a GDPR.

Service provider:

• Retell Global Inc., 70 Mercer St., 2nd Floor, New York, NY 10012, USA
• Twilio Inc., 101 Spear Street, San Francisco, CA 94105, USA, and affiliated Twilio companies

The processing or transfer of personal data to third countries, in particular the USA, cannot be ruled out. cannot be excluded. Insofar as data is transferred to third countries, this is done on the basis of suitable guarantees in accordance with Art. 44 ff. GDPR, in particular standard contractual clauses, additional protective measures and - where relevant - suitable certifications or other authorised transfer mechanisms. transfer mechanisms.

Conversation notes, transcripts and technical connection data are only stored for as long as is necessary necessary for the processing of the enquiry, internal traceability, quality assurance or legal retention obligations. They will not be used for other purposes without a separate legal basis.

Further information can be found in the providers' data protection notices:
Retell AI: https://www.retell.co/privacy-policy
Twilio: https://www.twilio.com/en-us/legal/privacy

9. Google Workspace (Sheets, Docs, Drive)

For internal organisation, for preparing offers and invoices and for managing booking and contract data, we use contract data we use Google Workspace (e.g. Google Sheets, Google Docs, Google Drive).

Service provider:

Google Ireland Limited
Gordon House, Barrow Street
Dublin 4, Ireland

Data may also be processed in data centres outside the EU, in particular in the USA. The transfer takes place on the basis of suitable guarantees in accordance with Art. 46 GDPR and - where relevant - additional additional certification mechanisms. The legal bases are Art. 6 para. 1 lit. b GDPR and Art. 6 para. 1 lit. f GDPR.

10. Newsletter dispatch via rapidmail

We use the service rapidmail GmbH, Wentzingerstraße 21, 79106 Freiburg, Germany.

When you subscribe to our newsletter, we process:

• E-mail address
• Name (optional)
• Information on the use of the newsletter, such as openings and clicks, insofar as this is used for statistical analysis

The legal basis for sending the newsletter is your consent in accordance with Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time with effect for the future, e.g. via the unsubscribe link in the newsletter.

11. Communication via WhatsApp Business

For quick communication with customers and interested parties, we use WhatsApp Business. The provider is WhatsApp Ireland Limited, Merrion Road, Dublin 4, Ireland.

When you communicate with us via WhatsApp, your telephone number, message content and communication metadata and communication metadata such as times are processed. The use of WhatsApp is voluntary. Alternatively, you can contact us by email or telephone at any time.

The legal bases are Art. 6 para. 1 lit. b GDPR for contract-related or pre-contractual communication and Art. 6 para. 1 lit. f GDPR due to our legitimate interest in fast and customer-friendly communication. It cannot be ruled out that data may also be transferred to third countries, in particular the USA. Further information can be found in WhatsApp's privacy policy.

12. Typeform (used optionally)

For certain surveys or special enquiry forms, we may Typeform use. The provider is Typeform S.L., Carrer Bac de Roda 163, 08018 Barcelona, Spain.

Data processed in this context generally corresponds to the information provided in the respective form (e.g. name, contact details, enquiry content). The legal basis is Art. 6 para. 1 lit. b GDPR or Art. 6 para. 1 lit. a GDPR, if consent is expressly obtained.

13. Hosting and server log files (Mittwald)

Our website is registered with the Mittwald CM Service GmbH & Co. KG, Königsberger Straße 4-6, 32339 Espelkamp, Germany. The data processed via our website is stored on servers in Germany. Germany.

When you access the website, information transmitted by your browser is automatically collected and stored in server log files. These are in particular

• IP address (abbreviated or pseudonymised, where possible)
• Date and time of the enquiry
• Time zone difference from GMT
• Content of the request (specific page)
• Access status/HTTP status code
• amount of data transferred
• Browser type and version, operating system
• referrer URL

The log files are used to ensure trouble-free operation, system security and error analysis. error analysis. The legal basis is Art. 6 para. 1 lit. f GDPR. Log files are generally deleted after a few weeks, unless longer storage is required for evidence purposes.

14. Cookies, consent management and tracking

14.1 Cookies and similar technologies

We use cookies and similar technologies (e.g. local storage) to provide basic functions of the website, to analyse website, to analyse usage and, if necessary, to evaluate marketing measures. The legal basis for strictly necessary cookies is § 25 para. 2 TDDDG in conjunction with Art. 6 para. 1 lit. f GDPR. For all other cookies, we obtain your consent in accordance with Section 25(1) TDDDG and Art. 6(1)(a) GDPR.

14.2 Borlabs Cookie

We use the tool to obtain and manage consents. Borlabs Cookie. In particular, your cookie settings and consents are stored so that your selection can be taken into account be taken into account for further visits and to be able to prove your consent. The legal basis is Art. 6 para. 1 lit. c GDPR and Art. 6 para. 1 lit. f GDPR.

14.3 Google Tag Manager

We set the Google Tag Manager to centrally manage and deliver scripts. According to our configuration, the Tag Manager itself does not store any independent analysis profiles, but is used for the technical integration of other services. The actual data processing is carried out by the respective integrated services and only if you have consented to this.

14.4 Google Analytics

If you consent, we will use Google Analytics for range measurement and statistical analysing the use of our website. In particular, usage data, device and browser information may be processed, interactions on the website and technically required connection data may be processed.

The legal basis is your consent in accordance with Art. 6 para. 1 lit. a GDPR in conjunction with § 25 para. 1 TDDDG. According to Google, IP addresses of users from the EU are not logged or stored by Google Analytics. or stored. You can revoke your consent at any time via the cookie settings.

14.5 Google reCAPTCHA

If activated on individual forms, we use Google reCAPTCHA, to protect our website and input forms from spam, misuse and automated attacks. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

When using reCAPTCHA, technical information such as IP address, browser and device properties can be stored, referrer, mouse and keyboard interactions, timestamps and, if applicable, information about your usage behaviour on the website behaviour on the website, insofar as this is necessary for bot detection.

The legal basis is our legitimate interest in the security of our website and forms pursuant to Art. 6 para. 1 lit. f GDPR. Insofar as the use of reCAPTCHA requires access to end device information is used, the permissibility is also based on § 25 TDDDG.

15. Debt collection (Paywise)

In order to enforce outstanding claims, in particular from Pass memberships and ticket brokerage, we can the debt collection service provider Paywise Limited, Schönhauser Allee 163, 10435 Berlin, Germany, to order.

In this context, we may transfer the following data to Paywise:

• Personal and contact details (name, address, email, telephone number)
• Contract and booking details (e.g. event concerned, Pass membership, invoice number)
• Receivables data (invoice amount, outstanding amounts, reminder levels)
• Communication and payment information (e.g. previous reminders, payment attempts)

The purpose of the processing is the assertion and enforcement of our justified claims and the defence against defence against unfounded claims. The legal bases are Art. 6 para. 1 lit. b GDPR, Art. 6 para. 1 lit. f GDPR and - where relevant - Art. 6 para. 1 lit. c GDPR.

16. Storage period

We only store personal data for as long as is necessary for the respective purposes or as long as we are we are legally obliged to do so. The storage period depends in particular on:

• Term of contracts and passport memberships,
• statutory retention periods (e.g. regularly 10 years under tax and commercial law),
• Limitation periods for civil law claims,
• Your consent (until revoked).

After expiry of the respective deadlines, the data will be deleted or anonymised, provided that legal retention obligations or overriding legitimate interests do not prevent this.

17. Obligation to provide data

In the context of enquiries, bookings and passport applications, the data to be provided is that which is necessary for the necessary or legally required for the execution of the respective process. Without this data we cannot conclude or fulfil the contract. All other information is voluntary.

18. Your rights as a data subject

You have the following rights within the scope of the legal requirements:

• Right to information about your personal data processed by us (Art. 15 GDPR)
• Right to rectification Incorrect or incomplete data (Art. 16 GDPR)
• Right to erasure (Art. 17 GDPR), provided that there are no legal retention obligations to the contrary
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• right of objection against processing based on Article 6(1)(e) or (f) of the GDPR (Article 21 of the GDPR)
• Right of withdrawal withdrawn consent with effect for the future (Art. 7(3) GDPR)

You may contact us at any time to exercise your rights: office@vto-elite-hospitality.com

19. Right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint with a data protection supervisory authority if you are of the opinion that the processing of your personal data violates the GDPR. The competent authority is in particular the supervisory authority of the federal state in which you have your habitual residence or the authority responsible for the competent authority for the registered office of our company.

20. Data security

We take appropriate technical and organisational measures to protect your data from loss, misuse, unauthorised access, alteration and destruction. This includes, in particular, encryption during transmission (SSL/TLS), access and authorisation concepts and regular system updates.

21. Amendments to this privacy policy

We reserve the right to amend this privacy policy in order to adapt it to changes in the legal situation, technical developments or changes to our services. Your visit will always be subject to the current version published on this page.