Privacy Policy
Privacy Policy
Last updated: June 20, 2026
1. Data Controller
SITOS – Retreats GbR
Dilan & Baran Lukacek
Hauptstraße 38
73550 Waldstetten
Germany
E-mail: sitos-retreats@gmx.de
Phone: +49 151 42855494
Website: www.sitos-retreats.com
2. General Information on Data Processing
The protection of your personal data is important to us. We process your personal data exclusively in accordance with the applicable data protection laws, in particular the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).
This Privacy Policy explains which personal data we collect, how we use it, and what rights you have.
3. Purposes and Legal Bases of Processing
We process personal data in particular for the following purposes:
-
Providing our website,
-
Responding to inquiries,
-
Processing bookings and payments,
-
Communication via messenger services,
-
Conducting our retreats, events, and other services,
-
Analyzing user behavior,
-
Marketing and public relations,
-
Creating and publishing photos and videos,
-
Ensuring the security and optimization of our website.
Legal bases for processing:
-
Article 6(1)(a) GDPR (consent),
-
Article 6(1)(b) GDPR (contract performance and pre-contractual measures),
-
Article 6(1)(c) GDPR (legal obligations),
-
Article 6(1)(f) GDPR (legitimate interests).
4. Hosting by Wix and Server Log Files
Our website is hosted by Wix.com Ltd., Nemal St. 40, 6350671 Tel Aviv, Israel.
The following information is automatically processed through server log files, including:
-
IP address,
-
Device and browser information,
-
Date and time of access,
-
Visited pages,
-
Referrer URL,
-
Operating system and language settings.
The processing is based on Article 6(1)(f) GDPR and serves to ensure the stability and security of the website.
5. Cookies and Consent Management
Our website uses cookies and similar technologies.
Technically necessary cookies are required for the functionality and security of the website and cannot be disabled.
Analytics, statistical, and marketing cookies are only used with your consent.
You may withdraw your consent at any time through the cookie banner.
6. Contact and Contact Forms
If you contact us via contact form, e-mail, telephone, or messenger services, we process the information you provide solely for the purpose of handling your inquiry.
Legal bases:
-
Article 6(1)(b) GDPR,
-
Article 6(1)(f) GDPR.
7. Bookings and Payments
In the context of bookings, we process in particular:
-
Name,
-
Address,
-
Contact details,
-
Booking information,
-
Payment information.
Payments are processed through external payment and banking service providers, in particular PayPal and the online bank FYRST.
We do not receive complete bank account details, but only the information necessary for payment processing, payment allocation, and the fulfillment of legal obligations.
Legal bases:
-
Article 6(1)(b) GDPR,
-
Article 6(1)(c) GDPR.
8. Processing of Special Categories of Personal Data
As part of our retreats, events, and individual services, we may process information regarding allergies, intolerances, health restrictions, or other health-related data voluntarily provided by participants.
Such data is processed exclusively for the safe and proper delivery of our services.
Legal bases:
-
Article 9(2)(a) GDPR,
-
Article 6(1)(b) GDPR.
9. Embedded Content
Our website may contain content from external providers, including:
-
YouTube videos,
-
Maps,
-
Social media content.
As a result, your IP address may be transmitted to the respective providers.
Any processing for analytics or marketing purposes takes place only with your consent.
10. Google Analytics
We use Google Analytics with IP anonymization enabled.
The following data may be processed in particular:
-
Anonymized IP address,
-
Device information,
-
Browser information,
-
Visited pages,
-
Time spent on the website,
-
Interactions and click behavior.
Processing is carried out exclusively on the basis of your consent pursuant to Article 6(1)(a) GDPR.
Data may be transferred to the United States. Such transfers are based on the EU-U.S. Data Privacy Framework and supplementary Standard Contractual Clauses.
11. Meta Pixel, TikTok Pixel, and Pinterest Pixel
We use marketing and tracking technologies provided by Meta, TikTok, and Pinterest.
These technologies enable website visitors to be recognized and targeted advertisements to be displayed.
Processing takes place exclusively on the basis of your consent pursuant to Article 6(1)(a) GDPR.
Data transfers to third countries, particularly the United States, cannot be ruled out.
12. Messenger Communication
You can reach us in particular through the following services:
-
WhatsApp,
-
Instagram Direct Messages,
-
TikTok Messages.
Communication via these channels is voluntary.
Legal bases:
-
Article 6(1)(a) GDPR,
-
Article 6(1)(b) GDPR,
-
Article 6(1)(f) GDPR.
Alternatively, you may contact us at any time via e-mail or telephone.
13. Social Media Presence
We maintain profiles on, among others:
-
Instagram,
-
TikTok,
-
YouTube,
-
Pinterest,
-
Threads,
-
LinkedIn.
The operators of these platforms may process personal data for analytics and advertising purposes.
Legal basis:
-
Article 6(1)(f) GDPR.
14. Photo and Video Recordings
Photographs and videos may be created during our retreats, events, and services for documentation and marketing purposes.
Processing is carried out either on the basis of your consent pursuant to Article 6(1)(a) GDPR or, where legally permissible, on the basis of our legitimate interest pursuant to Article 6(1)(f) GDPR.
You may object to such processing at any time.
15. International Data Transfers
Where personal data is transferred to third countries, such transfers are carried out solely on the basis of appropriate safeguards, including:
-
EU Standard Contractual Clauses,
-
Adequacy Decisions,
-
the EU-U.S. Data Privacy Framework.
16. Data Retention
We store personal data only for as long as necessary for the respective purposes or as required by statutory retention obligations.
In particular, the following retention periods apply:
-
10 years for tax-related documents,
-
6 years for business records,
-
3 years for civil law claims.
17. Data Security
We implement appropriate technical and organizational measures to protect your personal data against loss, misuse, or unauthorized access.
Our website uses encrypted communication via TLS/SSL.
18. Rights of Data Subjects
You have the right to:
-
Access (Article 15 GDPR),
-
Rectification (Article 16 GDPR),
-
Erasure (Article 17 GDPR),
-
Restriction of processing (Article 18 GDPR),
-
Data portability (Article 20 GDPR),
-
Object to processing (Article 21 GDPR),
-
Withdraw your consent at any time (Article 7(3) GDPR).
Furthermore, you have the right to lodge a complaint with a supervisory authority, in particular with the State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg.
19. Changes to this Privacy Policy
We reserve the right to amend this Privacy Policy whenever changes in legislation, technical circumstances, or our data processing activities require it.
The version published on our website shall always apply.