Data protection | Privacy

Status: January 2026

With the following information we inform you about the processing of personal data when using our website www.vip-tickets-only.com as well as in the context of our enquiry, booking, passport and placement processes. The processing is carried out in accordance with the of the General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG) and the TTDSG.

1. responsible person

The controller within the meaning of the GDPR is:

VTO Elite Hospitality UG (limited liability)
Breitscheidstraße 59
15827 Blankenfelde-Mahlow
Germany

E-Mail: office@vto-elite-hospitality.com
Represented by the managing director: Dirk Ninnemann

2. Principles of data processing

We process personal data only to the extent necessary to provide a functional website, to process enquiries, to fulfil contracts (including passport memberships), to fulfil legal obligations or to protect legitimate interests. Insofar as we obtain consent for certain processing operations, the processing is carried out on the basis of Art. 6 para. 1 lit. a GDPR; consent given can be revoked at any time with effect for the future. be revoked at any time with effect for the future.

3. Purposes of data processing and legal bases

We process personal data in particular for the following purposes and on the following legal bases:

• Provision of tickets and hospitality services, Processing customer enquiries, processing of bookings and projects, preparation and dispatch of quotations and invoices
  – Legal basis: Art. 6(1)(b) GDPR (performance of a contract/pre-contractual measures)
• Management of passport memberships (Gold, Platinum, Elite), including contract term, automatic renewal, payment monitoring, dunning and debt collection
  - Legal basis: Art. 6 para. 1 lit. b GDPR, Art. 6 para. 1 lit. f GDPR (legitimate interest in the efficient management of member contracts)
• payment processing (e.g. via Stripe, bank transfer)
  – Legal basis: Art. 6(1)(b) GDPR
• Automated process control (e.g. via Zapier, possibly Make.com), internal organisation (e.g. Google Workspace)
  - Legal basis: Art. 6 para. 1 lit. b GDPR, Art. 6 para. 1 lit. f GDPR (legitimate interest in efficient, secure processing)
• Communication with customers and interested parties (e.g. by email, telephone, WhatsApp Business)
  – Legal basis: Art. 6(1)(b) GDPR, Art. 6(1)(f) GDPR
• newsletter dispatch (via rapidmail) and marketing communications
  – Legal basis: Art. 6(1)(a) GDPR (consent)
• Provision of the website and IT security (e.g. log files, hosting)
  – Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure operation)
• Reach measurement, statistics and tracking (e.g. using cookies, Google Analytics)
  – Legal basis: Art. 6(1)(a) GDPR in conjunction with Section 25 TTDSG (consent)
• Compliance with legal obligations (e.g. tax retention obligations)
  – Legal basis: Art. 6(1)(c) GDPR

4. Categories of personal data processed

Depending on the process, we process the following categories of personal data in particular:

• Master data (name, title, position/title if applicable)
• Contact details (address, email, telephone number)
• Company details (company name, VAT ID, billing address)
• Form data from online forms (e.g. event, date, passport model, number of tickets, price, payment method)
• Booking and contract details (offer number, invoice number, passport validity, renewal)
• Payment data (e.g. payment status, payment method; credit card data only through Stripe)
• Communication data (e-mail content, telephone notes, WhatsApp chats)
• Newsletter data (e-mail address, opening and clicking behaviour, if consented to)
• Technical data and logs (IP address, browser type, operating system, access times, referrer URL)
• Cookie IDs and online identifiers, provided you consent

5. Origin of the data

As a rule, we receive the data directly from you when you use our website, fill out a form, make bookings, apply for pass memberships or get in touch with us.

Data may also originate from the following sources:

• technical systems and tools (e.g. payment service providers, automation services, newsletter tool),
• public sources (e.g. company registers, your company's website), where necessary.

6. Processing via forms (e.g. Elementor Forms)

On our website, we use forms (e.g. based on Elementor Forms) to record enquiries, bookings and passport applications. Mandatory fields are labelled as such. If these fields are not completed, the enquiry may not be processed.

Depending on the purpose, the following data in particular is collected via the forms:

• Name, title, company (if applicable)
• Address and contact details
• Event and booking information (e.g. event, date, number of tickets, areas)
• Pass membership details (e.g. desired model: Gold, Platinum, Elite)
• Price and payment information (e.g. total amount, preferred payment method)
• Optional comments and special requests

The legal basis for the processing is Art. 6 para. 1 lit. b GDPR (contract initiation and fulfilment) and - in the case of voluntary information - Art. 6 para. 1 lit. a GDPR (consent).

7. Payment processing via Stripe

For credit card payments, we use the payment service provider Stripe Payments. If you select the „credit card“ payment method or use a Stripe checkout link, your data (e.g. name, email address, invoice amount (e.g. name, e-mail address, invoice amount, invoice number and IP address) are transmitted to Stripe. Credit card data is only collected and processed directly by Stripe; we do not receive this data.

Service provider:

Stripe Payments Europe Ltd.
1 Grand Canal Street Lower
Dublin, Ireland

The processing is carried out on the basis of Art. 6 para. 1 lit. b GDPR (fulfilment of contract) and Art. 6 para. 1 lit. f GDPR (legitimate interest in secure and efficient payment processing). Stripe may transfer data to third countries (in particular the USA). The transfer takes place on the basis of suitable guarantees (e.g. standard contractual clauses, DPF certifications).

For further information, please refer to Stripe's privacy policy: https://stripe.com/de/privacy.

8. Automated processing via Zapier (and Make.com, if applicable)

For the automation of business processes (e.g. processing of form submissions, generation of Stripe payment links, creation of automated offers and invoices, transfer of booking and contract booking and contract data in Google Sheets or Google Docs), we use the service Zapier In individual cases, comparable processes may also be carried out via Make.com be displayed.

Service provider:

• Zapier Inc., 548 Market St #62411, San Francisco, CA 94104, USA
• (optional) Make Group a.s. / Celonis, Inc. – „Make“ platform, based in Czechia/USA, among other locations

In particular, the following data may be processed and transferred between systems:

• Form and booking details (e.g. name, contact details, event, pass model, number of tickets, prices)
• Invoice, quotation and payment data (e.g. invoice number, due date, payment status)
• Technical metadata (e.g. times, internal IDs) for controlling workflows

The legal bases are Art. 6 para. 1 lit. b GDPR (fulfilment of contract) and Art. 6 para. 1 lit. f GDPR (legitimate interest in efficient, error-free process handling). The transfer of data to third countries (in particular the USA) takes place on the basis of Art. 46 GDPR (standard contractual clauses) and, where relevant, on the basis of DPF certifications.

Privacy policy Zapier: https://zapier.com/privacy
Information about Make: https://www.make.com/de/privacy-policy

9. Google Workspace (Sheets, Docs, Drive)

For internal organisation, for preparing offers and invoices and for managing booking and contract data, we use contract data we use Google Workspace (e.g. Google Sheets, Google Docs, Google Drive).

Service provider:

Google Ireland Limited
Gordon House, Barrow Street
Dublin 4, Ireland

Data may be processed in data centres outside the EU, in particular in the USA. The transfer takes place on the basis of standard contractual clauses and DPF certifications and therefore on the basis of Art. 46 GDPR. The legal bases are Art. 6 para. 1 lit. b GDPR and Art. 6 para. 1 lit. f GDPR (legitimate interest in an efficient, secure office infrastructure).

10. Newsletter dispatch via rapidmail

We use the service rapidmail GmbH, Wentzingerstraße 21, 79106 Freiburg, Germany.

When you subscribe to our newsletter, we process:

• E-mail address
• Name (optional)
• Information on the use of the newsletter (opens, clicks), provided this is done for statistical evaluation purposes

The legal basis for the dispatch is your consent in accordance with Art. 6 para. 1 lit. a GDPR. The consent at any time with effect for the future, e.g. via the unsubscribe link in the newsletter.

11. Communication via WhatsApp Business

For quick communication with customers and interested parties, we use WhatsApp Business. The provider is WhatsApp Ireland Limited, Merrion Road, Dublin 4, Ireland.

When you communicate with us via WhatsApp, your telephone number, message content and metadata (e.g. times, device information) are (e.g. times, device information) are processed. The use of WhatsApp is voluntary. Alternatively, you can contact us by email or telephone at any time.

The legal bases are Art. 6 para. 1 lit. b GDPR (fulfilment of contract / pre-contractual communication) and Art. 6 para. 1 lit. f GDPR (legitimate interest in fast communication). Data may be transferred to third countries, in particular the USA. You can find further information in the WhatsApp privacy policy.

12. Typeform (used optionally)

For certain surveys or special enquiry forms, we may Typeform use. The provider is Typeform S.L., Carrer Bac de Roda 163, 08018 Barcelona, Spain.

Data processed in this context generally corresponds to the information provided in the respective form (e.g. name, contact details, enquiry content). The legal basis is Art. 6 para. 1 lit. b GDPR (fulfilment of contract / pre-contractual measures) or Art. 6 para. 1 lit. a GDPR (consent), if expressly obtained.

13. Hosting and server log files (Mittwald)

Our website is registered with the Mittwald CM Service GmbH & Co. KG, Königsberger Straße 4-6, 32339 Espelkamp, Germany. All data processed via our website is stored on servers in Germany. Germany.

When you access the website, information transmitted by your browser is automatically collected and stored in server log files. These are in particular

• IP address (abbreviated or pseudonymised, where possible)
• Date and time of the enquiry
• Time zone difference from GMT
• Content of the request (specific page)
• Access status/HTTP status code
• amount of data transferred
• Browser type and version, operating system
• referrer URL

The log files are used to ensure trouble-free operation, system security and error analysis. error analysis. The legal basis is Art. 6 para. 1 lit. f GDPR (legitimate interest in secure operation). Log files are generally deleted after a few weeks, unless longer storage is required for evidence purposes. is required.

14. Cookies, consent management and tracking

14.1 Cookies and similar technologies

We use cookies and similar technologies (e.g. local storage) to provide basic website functions (e.g. language settings) website (e.g. language settings), to analyse usage and, if necessary, to evaluate marketing measures. evaluate marketing measures. The legal basis for strictly necessary cookies is § 25 para. 2 TTDSG in conjunction with Art. 6 para. 1 lit. f DSGVO. For all other cookies, we obtain your consent in accordance with Section 25 para. 1 TTDSG and Art. 6 para. 1 lit. a GDPR.

14.2 Borlabs Cookie

We use the tool to obtain and manage consents. Borlabs Cookie. Here In particular, your cookie settings and consents are stored in a cookie in order to take your selection taken into account for further visits. The legal basis is Art. 6 para. 1 lit. c GDPR (fulfilment of legal obligations regarding the verifiability of consent) and Art. 6 para. 1 lit. f GDPR.

14.3 Google Tag Manager

We set the Google Tag Manager to centrally manage and deliver scripts (e.g. for Google Analytics). and deliver them. The Tag Manager itself does not set any cookies and does not process any personal data personal data apart from the technically necessary information for the delivery of the tags. The actual data processing is carried out by the respective integrated services (e.g. Google Analytics), which only become only become active if you have consented to this.

14.4 Google Analytics

If you consent, we will use Google Analytics for range measurement and statistical analysing the use of our website. In particular, the following data may be processed abbreviated IP address, usage data, device and browser information, time and duration of page views, interactions on the website.

The legal basis is your consent (Art. 6 para. 1 lit. a GDPR in conjunction with § 25 para. 1 TTDSG). You can withdraw your revoke your consent at any time via the cookie settings.

15. Debt collection (Paywise)

In order to enforce outstanding claims, in particular from Pass memberships and ticket brokerage, we can the debt collection service provider Paywise Limited, Schönhauser Allee 163, 10435 Berlin, Germany, to order.

In this context, we may transfer the following data to Paywise:

• Personal and contact details (name, address, email, telephone number)
• Contract and booking details (e.g. event concerned, Pass membership, invoice number)
• Receivables data (invoice amount, outstanding amounts, reminder levels)
• Communication and payment information (e.g. previous reminders, payment attempts)

The purpose of the processing is the assertion and enforcement of our justified claims and the defence against defence against unfounded claims. The legal bases are Art. 6 para. 1 lit. b GDPR (fulfilment of contract), Art. 6 para. 1 lit. f GDPR (legitimate interest in efficient debt collection) and Art. 6 para. 1 lit. c GDPR (legal obligations to provide evidence and retain records), where applicable.

16. Storage period

We only store personal data for as long as is necessary for the respective purposes or as long as we are we are legally obliged to do so. The storage period depends in particular on:

• Term of contracts and passport memberships,
• statutory retention periods (e.g. regularly 10 years under tax and commercial law),
• Limitation periods for civil law claims,
• Your consent (until revoked).

After expiry of the respective deadlines, the data will be deleted or anonymised, provided that legal retention obligations or overriding legitimate interests do not prevent this.

17. Obligation to provide data

In the context of enquiries, bookings and passport applications, the data to be provided is that which is necessary for the necessary or legally required for the execution of the respective process. Without this data we cannot conclude or fulfil the contract. All other information is voluntary.

18. Your rights as a data subject

You have the following rights within the scope of the legal requirements:

• Right to information about your personal data processed by us (Art. 15 GDPR)
• Right to rectification Incorrect or incomplete data (Art. 16 GDPR)
• Right to erasure (Art. 17 GDPR), provided that there are no legal retention obligations to the contrary
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• right of objection against processing based on Article 6(1)(e) or (f) of the GDPR (Article 21 of the GDPR)
• Right of withdrawal withdrawn consent with effect for the future (Art. 7(3) GDPR)

You may contact us at any time to exercise your rights: office@vto-elite-hospitality.com.

19. Right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint with a data protection supervisory authority if you are of the opinion that the processing of your personal data violates the GDPR. The competent authority is in particular the supervisory authority of the federal state in which you have your habitual residence or the authority responsible for the competent authority for the registered office of our company.

20. Data security

We take appropriate technical and organisational measures to protect your data from loss, misuse, unauthorised access, alteration and destruction. This includes, in particular, encryption during transmission (SSL/TLS), access and authorisation concepts and regular system updates.

21. Amendments to this privacy policy

We reserve the right to amend this privacy policy in order to adapt it to changes in the legal situation, technical developments or changes to our services (e.g. introduction of new services). For your The current version published on this page always applies to your visit.