Privacy Policy

Last updated: 2026-05-17. This policy covers all processing of personal data in connection with duk42a.com and the DUK42a apartments at Killisfeldstraße 42a, 76227 Karlsruhe, Germany.

With this privacy policy we inform you comprehensively about the processing of personal data in connection with the operation of duk42a.com and the rental of the DUK42a apartments. We take the protection of your data seriously and handle your personal information confidentially and in accordance with applicable data protection law (in particular the GDPR — Regulation (EU) 2016/679 — and the German Federal Data Protection Act BDSG).

This policy applies regardless of whether you visit our website, make a booking, check in, or contact us through any other channel. It covers all data flows necessary for operating the apartments and meeting statutory obligations (in particular the German accommodation reporting duty and the local accommodation tax).

1. Data Controller

The data controller responsible for processing within the meaning of the GDPR is:

For data protection enquiries, please contact us directly at info@duk42a.com.

2. Data Protection Officer

Given the size and nature of our business activity, we are not legally required to appoint a data protection officer (§ 38 BDSG, Art. 37 GDPR). For all data protection matters please contact us at the address above.

3. Overview of Processing Activities

We process personal data in the following contexts:

1. Visiting this website (duk42a.com)
2. Contacting us by e-mail, phone or WhatsApp
3. Bookings via our direct booking system (www.duk42a.com)
4. Bookings via third-party platforms (Booking.com, Airbnb, Monteurzimmer.de)
5. Check-in and statutory reporting duty (hotel guest registration form)
6. Local accommodation tax (City Tax) of the City of Karlsruhe
7. Payment processing

4. Visiting this website

4.1 Server log files

When you access this website, our hosting provider automatically records information in so-called server log files:

• IP address of the requesting device
• Date and time of access
• URL of the page or resource accessed
• Amount of data transferred
• HTTP status code
• Referrer URL (the page from which the visitor came)
• Browser type and operating system (user agent)

Data categories: technical / traffic data (IP address, browser identifier, access time, referrer URL).
Purpose: technical operation of the website, security, abuse prevention.
Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in stable and secure operation).
Storage period: max. 7 days at the hosting provider, then automatic deletion. The data is not merged with other sources.

4.2 Cookies and tracking

This website sets no cookies of its own and uses no tracking services (no Google Analytics, no Facebook Pixel, no Matomo etc.). Only technically necessary requests for images, fonts and stylesheets via the same domain are made.

If we introduce analytics or other cookie-based functionality in the future, we will first obtain your consent via a cookie banner and update this privacy policy accordingly.

4.3 Hosting

This website (apex duk42a.com) is hosted by:

The hosting provider processes the data mentioned in 4.1 on our behalf (Art. 6 (1) f GDPR). A data processing agreement under Art. 28 GDPR is in place.

5. Contacting us by e-mail, phone or WhatsApp

If you contact us by e-mail (e.g. at info@duk42a.com), phone or WhatsApp, the information you provide is stored for the purpose of processing your enquiry. This typically includes:

• Name
• Contact details (e-mail, phone number)
• Content of your enquiry
• For WhatsApp: possibly profile picture, status information, phone number

Data categories: master data (name), contact data (e-mail, phone, where applicable WhatsApp profile information), content data (your message).
Purpose: responding to your enquiry, initiation or performance of a contract.
Legal basis: Art. 6 (1) (b) GDPR (contract initiation/performance), Art. 6 (1) (f) GDPR (legitimate interest in answering enquiries).
Storage period: data is deleted once it is no longer needed for the purposes of its collection, at the latest upon expiry of statutory retention obligations (up to 10 years under § 257 HGB / § 147 AO for tax-relevant correspondence).

5.1 WhatsApp specifically

If you contact us via WhatsApp, your data is additionally processed by WhatsApp Ireland Ltd. (Meta group). WhatsApp acts as either processor or independent controller for transmitting the messages. We have no influence on the processing carried out by WhatsApp / Meta. Please note the WhatsApp Privacy Policy. If you do not want this processing, please contact us by e-mail or phone instead.

6. Bookings via our direct booking system (www.duk42a.com)

At www.duk42a.com we operate a direct booking system for our apartments. Technically this is provided by our partner Guesty.

Data processed:

• Name, address, e-mail, phone
• Desired period, apartment, number of persons
• Payment information (see Section 7)
• Messages between guest and host in the booking chat

Data categories: master data (name, address), contact data (e-mail, phone), contract data (stay period, apartment, number of persons), payment data (see Section 7), content data (messages in the booking chat).
Purpose: conclusion and performance of the accommodation contract.
Legal basis: Art. 6 (1) (b) GDPR (contract performance).
Recipient / processor:

Guesty provides the booking system on the domain www.duk42a.com. Guesty in turn uses Amazon Web Services (AWS) as hosting infrastructure. A data processing agreement under Art. 28 GDPR is in place with Guesty. Any transfer to the USA is based on EU Standard Contractual Clauses (SCC) and, where applicable, the EU-US Data Privacy Framework.

Storage period: booking data is stored for the duration of the stay and afterwards in accordance with commercial and tax retention obligations (up to 10 years, § 147 AO, § 257 HGB).

7. Bookings via third-party platforms

We also offer our apartments via third-party platforms. The respective platform acts as an independent controller until the booking is transferred to us. Currently relevant are:

• Booking.com B.V., Herengracht 597, 1017 CE Amsterdam, Netherlands — Booking.com Privacy Statement
• Airbnb Ireland UC, 8 Hanover Quay, Dublin 2, Ireland — Airbnb Privacy Policy
• Monteurzimmer.de (deinzimmer.de GmbH, Stuttgart, Germany) — Monteurzimmer.de privacy policy

Data categories: master data (name), contact data (e-mail, phone), contract data (stay period, number of persons).
Purpose: performance of the accommodation contract.
Legal basis: Art. 6 (1) (b) GDPR (contract performance).

After a successful booking we receive from the respective platform the data necessary to perform the accommodation contract. The further processing by us is otherwise subject to this privacy policy.

7.1 Source of data (Art. 14 GDPR)

If you book with us through a third-party platform (Booking.com, Airbnb, Monteurzimmer.de), we do not receive your data directly from you but from the respective platform — the source of the data is the information you provided in that booking system and the platform's own booking process. As against us, you have the same rights (access, rectification, erasure, restriction, objection) as for a direct booking — see the section on your rights below.

8. Check-in and statutory reporting duty (hotel guest registration)

As an accommodation business we are legally obliged to collect a special registration form from foreign guests in accordance with §§ 29, 30 of the German Federal Registration Act (Bundesmeldegesetz, BMG). This obligation also applies to foreign co-travellers of a German main guest and irrespective of the booking channel (direct, OTA, walk-in). For German citizens, this special registration requirement in accommodation facilities has been abolished as of 1 January 2025 (Fourth Bureaucracy Relief Act – BEG IV).

Data collected pursuant to § 30 BMG:

• Day of arrival and expected departure
• Family name, given name(s)
• Date of birth
• Nationality (for foreign guests)
• Address
• Number of accompanying persons
• For foreign guests: type, number and issuing authority of the valid identity document carried (ID card, passport)
• Personal signature (handwritten or digital, depending on the authentication procedure used)

Identity is verified in accordance with § 29 (5) BMG. We use our own digital check-in application (registration form app) which runs on a virtual server at Hetzner Online GmbH in Germany.

Recipient / processor (hosting of the registration app):

Hetzner processes the data exclusively in EU data centres. A data processing agreement under Art. 28 GDPR is in place.

Data categories: master data (name, address, date of birth, nationality), stay data (arrival/departure, accompanying persons), identification data (type, number, issuing authority of the identity document), personal signature. Where the content of an identity document is processed, this constitutes in part special categories of personal data within the meaning of Art. 9 GDPR.
Purpose: fulfilment of statutory reporting and retention obligations under the BMG.
Legal basis: Art. 6 (1) (c) GDPR (legal obligation) in conjunction with §§ 29, 30 BMG. For the processing of identity document data additionally Art. 9 (2) (c) GDPR or § 22 (1) No. 1 BDSG insofar as special categories of personal data are concerned.
Storage period: registration forms are kept for one year (§ 30 (4) BMG) and then deleted or destroyed within three months, unless longer retention is required under commercial or tax law.

Disclosure to authorities: the registration forms must be submitted to the authorities on request (§ 30 (3) BMG). No general transmission takes place.

9. Local accommodation tax (City Tax)

The City of Karlsruhe levies a tax on chargeable short-term accommodation. As tax debtor we are obliged to submit a tax declaration to the municipal treasury at regular intervals (quarterly).

Data categories: aggregated stay data (number of taxable overnight stays); on specific official request also individual booking and master data.
Data transmitted: aggregated number of taxable overnight stays, where applicable with proof of stay. Personal individual data is only disclosed upon specific official request.
Recipient: City of Karlsruhe, Municipal Treasury (Stadtkämmerei), Lammstr. 7a, 76133 Karlsruhe, Germany.
Legal basis: Art. 6 (1) (c) GDPR in conjunction with the City of Karlsruhe's bylaw on the local accommodation tax.
Storage period: 10 years pursuant to § 147 AO.

10. Payment processing

Payment of your booking is processed via different service providers depending on the booking channel:

• Direct booking via www.duk42a.com: handled via the payment function integrated in Guesty (typically through Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland)
• Booking.com / Airbnb / Monteurzimmer.de: payment via the respective platform, see their privacy notices (Section 7)
• On-site: cash or card payment via SumUp Payments Limited, Block 8, Harcourt Centre, Charlotte Way, Dublin 2, Ireland

Data categories: payment data (card pseudonyms, transaction IDs, receipt data). Actual payment-instrument data (e.g. full card numbers) is processed exclusively by the respective payment service provider and not stored by us.
Legal basis: Art. 6 (1) (b) GDPR (contract performance).
Storage period: payment receipts are retained for 10 years pursuant to § 257 HGB / § 147 AO.

11. Recipients of personal data

We only transmit your personal data to recipients required for the respective processing. We distinguish two groups:

11.1 Processors (processing data on our behalf)

These service providers are bound by our instructions and committed to confidentiality through an Art. 28 GDPR contract:

• Web hosting and e-mail provider based and operating data centres in Germany (for duk42a.com and the associated mailboxes)
• Hosting provider for the check-in / registration form application with data centre in Germany
• Booking system provider: Guesty Inc. (with EU establishment in France), providing the booking interface at www.duk42a.com. Since Guesty processes parts of the data in the USA (Amazon Web Services), a transfer to a third country occurs — see Section 12.
• Payment service providers based in the EU (online payment via the booking system; on-site card payment via a separate provider)

11.2 Independent controllers (recipients who decide on the use themselves)

• Third-party booking platforms: Booking.com B.V. (Netherlands), Airbnb Ireland UC (Ireland), deinzimmer.de GmbH / Monteurzimmer.de (Germany) — if you book via these platforms, they are initially independent controllers until the booking is transferred to us
• Messaging service: WhatsApp Ireland Ltd. (Meta group, registered in Ireland, parent company in the USA) — insofar as you contact us via WhatsApp. Group-wide data processing may involve a third-country transfer to the USA — see Section 12.
• Public authorities: City of Karlsruhe (Municipal Treasury) for the local accommodation tax; on specific request, where applicable, the registration authority under BMG

Contracts under Art. 28 GDPR are in place with the processors listed under 11.1. A complete list of the processors we engage is kept internally in our record of processing activities under Art. 30 GDPR; we provide this list to supervisory authorities on request and disclose it to data subjects within the scope of their right of access under Art. 15 GDPR.

No transmission to third parties outside the recipients listed above takes place.

12. Transfers to third countries

Insofar as personal data is transferred to countries outside the EU/EEA (in particular to the USA via Guesty / AWS and Meta), this is based on:

• EU Standard Contractual Clauses (Art. 46 (2) (c) GDPR), or
• the EU-US Data Privacy Framework, where the recipient is certified (www.dataprivacyframework.gov), or
• your explicit consent pursuant to Art. 49 (1) (a) GDPR in individual cases.

13. Data security (technical and organisational measures)

We take appropriate technical and organisational measures to protect your personal data against accidental or intentional manipulation, partial or complete loss, destruction or unauthorised access by third parties (Art. 32 GDPR). Our security measures are continuously improved in line with technological developments. They include in particular:

• Encrypted transmission: all data transmissions between our website and your device take place via TLS-encrypted HTTPS connections
• Access protection: access to processing systems is restricted to the controller and explicitly authorised processors; password protection and two-factor authentication where available
• Data minimisation: we only collect the data required for the respective purpose
• Retention discipline: data is deleted or anonymised once no statutory retention obligation and no concrete purpose remains
• Careful selection of processors: processors (in particular all-inkl, Guesty, Hetzner) are selected according to data protection criteria; Art. 28 GDPR contracts are in place
• EU data centres preferred: for data with high protection requirements (in particular registration form data) we use data centres within the EU

14. Personal data breaches and notification obligations

In the event of a breach of the protection of personal data within the meaning of Art. 4 (12) GDPR, we will promptly assess whether there is a notification obligation to the competent supervisory authority under Art. 33 GDPR (notification within 72 hours if a risk to the rights and freedoms of data subjects is likely). If a high risk to data subjects is likely, we will additionally notify you without undue delay pursuant to Art. 34 GDPR.

If, as a data subject, you have any indication or suspicion of a possible data protection breach, please contact us immediately: info@duk42a.com. Such reports are treated confidentially.

15. Your rights as a data subject

You have the right to:

• Access to your personal data (Art. 15 GDPR)
• Rectification of inaccurate or completion of incomplete data (Art. 16 GDPR)
• Erasure ("right to be forgotten") (Art. 17 GDPR)
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Objection to processing based on Art. 6 (1) (f) GDPR, on grounds relating to your particular situation (Art. 21 GDPR)
• Withdrawal of consent at any time with effect for the future (Art. 7 (3) GDPR)

For statutory processing (in particular reporting obligations under BMG and tax retention), the right to erasure or objection may be restricted.

16. Right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint with a data protection supervisory authority. The competent authority for us is:

17. Obligation to provide data

As part of our business relationship you must provide the personal data necessary for entering into, performing and terminating the business relationship as well as for fulfilling the associated contractual and statutory obligations (e.g. reporting obligations). Without these data we cannot conclude or perform the contract with you.

18. Automated decisions / profiling

We do not use fully automated decision-making systems within the meaning of Art. 22 GDPR. No profiling takes place.

19. Changes to this policy

This privacy policy may be amended to reflect changes in the legal framework or in our services. The current version is available at https://duk42a.com/en/datenschutz.html. The date of the last update is shown at the top of this document.

20. Status and references from third-party applications

This privacy policy is the canonical document for all DUK42a services. It is referenced inter alia from:

• the direct booking platform at www.duk42a.com (Guesty)
• the check-in / registration form application
• listings on Booking.com, Airbnb, Monteurzimmer.de
• e-mail signatures and contact confirmations

← Back to home