1 General information

1.1 Objective and responsibility

1. This privacy policy informs you about the type, scope and purpose of the processing of personal data in relation to our online offering lazulirestaurant.com/ and the associated websites, functions and content (hereinafter jointly referred to as “online offering” or “website”). Details of these processing activities can be found in Section 2.
2. Details on data processing for the purpose of carrying out our business processes are described in section 3.
3. Kimpton Hotel Frankfurt GmbH (Junghofstraße 7, 60315 Frankfurt am Main, Germany) – hereinafter referred to as “we” or “us” – is the provider of the online offer and responsible under data protection law.
4. Our online offer is provided by IONOS SE (Elgendorfer Str. 57, 56410 Montabaur, Germany). The server location is Germany
5. Our data protection officer is: Sven Meyzis – IT.DS Beratung (phone: 0049 40-21091514 / e-mail: s.meyzis@itdsb.de).
6. The term “user” includes all customers and visitors to the online offer.

1.2 Legal basis

In principle, we collect and process personal data based on the following legal bases:

1. Consent pursuant to Article 6(1)(a) of the General Data Protection Regulation (GDPR). Consent is any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
2. Necessity to fulfill the contract or to carry out preparatory measures in accordance with Article 6 (1) (b) GDPR, i.e. the data is necessary so that we can fulfill our contractual obligations towards you or we need the data to prepare the conclusion of a contract with you.
3. Processing to fulfill a legal obligation in accordance with Article 6 (1) (c) GDPR, i.e. processing of the data is required, for example, by law or other regulations.
4. Processing for the purposes of legitimate interests in accordance with Article 6 (1) (f) GDPR, i.e. processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data.

The specific legal bases for the individual processing operations are listed in the following sections.

1.3 Rights of data subjects

You are entitled to the following rights with regard to data processing by us:

1. Right to lodge a complaint with a supervisory authority pursuant to Article 13 (2) (d) GDPR and Article 14 (2) (e) GDPR.
2. Right of access pursuant to Article 15 GDPR
3. Right to rectification pursuant to Article 16 GDPR
4. Right to erasure (“right to be forgotten”) pursuant to Article 17 GDPR
5. Right to restriction of processing pursuant to Article 18 GDPR
6. Right to data portability pursuant to Article 20 GDPR
7. Right to object pursuant to Article 21 GDPR

Note: Data subjects can object to the processing of their personal data in accordance with the legal requirements at any time with effect for the future. The objection can be made in particular against processing for direct marketing purposes.

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.

1.4 Data erasure and storage duration

The personal data of the data subject will be deleted or blocked as soon as the purpose of storage no longer applies. Data may also be stored if this has been provided for by the European or national legislator in EU regulations, laws or other provisions to which the controller is subject. The data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the conclusion or fulfillment of a contract.

1.5 Security of processing

1. We have implemented appropriate and state-of-the-art technical and organizational security measures (TOMs). This protects the data processed by us against accidental or intentional manipulation, loss, destruction and unauthorized access.
2. The security measures include in particular the encrypted transmission of data between your browser and our server.

1.6 Data transfer to third parties, subcontractors and third-party providers

1. Personal data is only transferred to third parties within the framework of the legal requirements. We only pass on the data of the data subjects to third parties if this is necessary, for example, for billing purposes or for other purposes if the transfer is necessary to fulfill contractual obligations to the data subjects.
2. If we use subcontractors for our online offering, we have taken suitable contractual precautions and appropriate technical and organizational measures with these companies.
3. If we use content, tools or other means from other companies (hereinafter jointly referred to as “third-party providers”) and their registered office is located in a third country, it can be assumed that data will be transferred to the countries in which the third-party providers are based. We will only transfer personal data to third countries if there is an adequate level of data protection, the consent of the data subject or other legal permission.

2 Processing in the context of our online offering

2.1 Collection of information on the use of the online offer

1. When using the online offer, information is automatically transmitted to us by the user’s browser; this includes the name of the website accessed, file, date and time of access, amount of data transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page), IP address and the requesting provider.
2. This information is processed on the basis of legitimate interests in accordance with Article 6 (1) (f) GDPR (e.g. optimization of the online offer) and to ensure the security of processing in accordance with Article 5 (1) (f) GDPR (e.g. to defend against and investigate cyber attacks).
3. The information is automatically deleted no later than 30 days after the end of the connection – i.e. use of the online offer – provided that there are no other retention periods to the contrary.
4. The collection of the data and the storage of the data in log files is absolutely necessary for the provision of the online offer. The user therefore has no right to erasure, objection or rectification.

2.2 Adobe TypeKit Fonts

1. This website uses web fonts from Adobe for the uniform display of certain fonts. The provider is Adobe Systems Incorporated, 345 Park Avenue, San Jose, CA 95110-2704, USA (Adobe).
2. When you access this website, your browser loads the required fonts directly from Adobe in order to display them correctly on your device. In doing so, your browser establishes a connection to Adobe’s servers in the USA. This gives Adobe knowledge that this website has been accessed via your IP address. According to Adobe, no cookies are stored when the fonts are provided.
3. The data is stored and analyzed on the basis of Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in the uniform presentation of the typeface on its website. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG, insofar as the consent includes the storage of cookies or access to information in the user’s terminal device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent can be revoked at any time.
4. Data transfer to the USA is based on the standard contractual clauses of the EU Commission. You can find details here:

https://www.adobe.com/de/privacy/eudatatransfers.html.

5. Further information on Adobe Fonts can be found at:

https://www.adobe.com/de/privacy/policies/adobe-fonts.html.

6. You can find Adobe’s privacy policy at:

https://www.adobe.com/de/privacy/policy.html

7. The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the USA that is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. Further information on this can be obtained from the provider at the following link: https://www.dataprivacyframework.gov/participant/5660.

2.3 Font Awesome (local hosting)

1. This site uses Font Awesome for the uniform display of fonts. Font Awesome is installed locally. There is no connection to the servers of Fonticons, Inc.
2. Further information about Font Awesome can be found in the Font Awesome privacy policy at: https://fontawesome.com/privacy.Zur We use so-called web fonts provided by Adobe for the uniform display of fonts. When you access a page, your browser loads the required web fonts into your browser cache in order to display texts and fonts correctly. For this purpose, the browser you are using must connect to the Adobe servers. This gives Adobe knowledge that our website has been accessed via your IP address. The use of Adobe TypeKit fonts is in the interest of a uniform and appealing presentation of our online offers. The legal basis is Art. 6 para. 1 lit. f GDPR.
3. Further information on Adobe TypeKit fonts can be found in Adobe’s privacy policy: https://www.adobe.com/de/privacy/policies/typekit.html

2.4 Consent management

1. Our website uses the cookie consent technology “CCM19” to obtain your consent for cookies and cookie-based applications that require consent and to document these in compliance with data protection regulations. The provider of this technology is Papoo Software & Media GmbH – Dr. Carsten Euwens. Bornschein, Auguststr. 4, 53229 Bonn (hereinafter referred to as CCM19).
2. When you enter our website, a banner is displayed by integrating a corresponding JavaScript code, which you can use to give your consent for certain cookies and cookie-based applications. As long as you do not give your consent, the aforementioned cookie consent tool blocks the setting of cookies requiring consent. The aforementioned cookie consent tool collects certain user information, including the IP address, when our website is accessed so that page views can be assigned to individual users and, on the other hand, the consent settings made by the user can be individually recorded, logged and stored for a session duration. This data is not passed on to CCM19.
3. The data collected will be stored until you ask us to delete it or delete the CCM19 cookie yourself or until the purpose for storing the data no longer applies. Mandatory statutory retention periods remain unaffected.
4. CCM19 cookie consent technology is used to obtain the legally required consent for the use of cookies. The legal basis for this is Art. 6 para. 1 sentence 1 lit. c GDPR.
5. Further information on the use of data by CCM19 can be found at https://www.ccm19.de/datenschutzerklaerung.html.

2.5 WordPress

1. We use WordPress for website development on the basis of the balancing of interests pursuant to Art. 6 para. 1 lit. f GDPR.
2. WordPress only uses necessary or functional cookies and similar technologies. Data is not transferred to third parties.

2.6 Links to other websites

1. While using some of our services (e.g. “table reservation” and “menu card”) you will be automatically redirected to other websites.
2. Please note that this privacy policy does not apply there. The privacy policy of the linked website may differ considerably from this one.

3 Processing for the purpose of carrying out our business processes

3.1 Contact form

1. If you send us inquiries via the contact form, your details from the inquiry form, including the contact data you provide there, will be stored by us for the purpose of processing the inquiry and in the event of follow-up questions. We will not pass on this data without your consent.
2. This data is processed on the basis of Art. 6 para. 1 lit. b GDPR if your request is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the inquiries addressed to us (Art. 6 para. 1 lit. f GDPR) or on your consent (Art. 6 para. 1 lit. a GDPR) if this has been requested; consent can be revoked at any time.
3. We will retain the data you provide on the contact form until you request its deletion, revoke your consent for its storage, or the purpose for its storage no longer pertains (e.g. after fulfilling your request). Mandatory statutory provisions – in particular retention periods – remain unaffected.

3.2 Request by e-mail, telephone or fax

1. If you contact us by e-mail, telephone or fax, we will store and process your inquiry, including all personal data (name, inquiry), for the purpose of processing your request. We will not pass on this data without your consent.
2. This data is processed on the basis of Art. 6 para. 1 lit. b GDPR if your request is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the inquiries addressed to us (Art. 6 para. 1 lit. f GDPR) or on your consent (Art. 6 para. 1 lit. a GDPR) if this has been requested; consent can be revoked at any time.
3. The data you send to us via contact requests will remain with us until you ask us to delete it, revoke your consent to storage or the purpose for data storage no longer applies (e.g. after your request has been processed). Mandatory statutory provisions – in particular statutory retention periods – remain unaffected.

3.3 Guest communication

1. If you have consented to receive information from us regarding your future stay – for example, by reserving a room via a booking platform – we will contact you via SMS or WhatsApp as requested. Part of the communication could, for example, be a welcome message.
2. If you actively contact us via SMS or WhatsApp, we will communicate with you using the same medium.
3. Communication takes place via our service provider Canary Technologies Corp. (275 Sacramento Street, Floor 3, San Francisco, CA 94111, USA). We have concluded a data protection agreement with the service provider.
4. The legal basis for the processing is your consent pursuant to Article 6 (1) (a) GDPR in conjunction with Article 6 (1) (b) GDPR (necessity for the initiation and performance of the contract).

3.4 Processing of personal data in accordance with the Federal Registration Act

1. We have a legal obligation under the Federal Registration Act (BMG) to collect the following data from foreign residents (§ 29 BMG, § 30 BMG):
2. Date of arrival and expected departure
3. Family name
4. First name
5. Date of birth
6. Nationality
7. Address
8. Serial number of the recognized and valid passport or passport replacement document
9. A separate registration form does not need to be completed for accompanying family members (e.g. spouse, children). It is sufficient to state the number of accompanying persons and their nationality.
10. For tour groups of more than ten people, only the tour guide must fill in the registration form and otherwise state the number of fellow travelers and their nationality.
11. We are obliged to collect, process and pass on this data in accordance with the BMG. The legal basis for processing results from Article 6 (1) (c) GDPR (legal requirement).
12. We delete this data or restrict the processing as soon as it is permitted under the provisions of the BMG and if there is no consent on your part pursuant to Article 6 (1) (a) GDPR and no other legitimate interest on our part pursuant to Article 6 (1) (f) GDPR in the continued processing.

The completed registration forms must be kept for one year from the date of arrival and then destroyed within 3 months.

3.5 Hotel stay

1. When you stay with us, we strive to make your stay as pleasant as possible. This requires the processing of your personal data for the provision of specific services during your hotel stay.

These services include

• housekeeping and maintenance;
• the return of lost or forgotten items to you; and
• managing your preferences and those of your companions, such as dietary requirements and pillow preferences,

to offer you a better service during your stay with us.

2. For these purposes, we process the following data in particular: First and last name, postal address, consumption habits, arrival and departure dates, dietary requirements, e-mail address, first and last name of adult roommates, other personal preferences, payment information (for the return of lost or forgotten items), telephone number
3. This data is usually collected directly from you during your stay at the hotel or reaches us via your travel agency or, for example, through the booking system you use.
4. The legal basis for the processing of this data is the balancing of interests pursuant to Article 6 (1) (f) GDPR. Our legitimate interest is to organize our hotel maintenance activities, to personalize the services offered and to be able to identify the owner of a lost or forgotten item.
5. Possible recipients of the data are hotel staff (including housekeeping, maintenance, reception and other hotel staff), IT service providers and delivery or courier service providers (for the return of lost or forgotten items).
6. You can object to the use of the data at any time with effect for the future. An objection can lead to a noticeable restriction of our services.
7. We use several service providers to provide our services within the scope of order processing. These include in particular

• Hotel Management Software: Quore Systems, LLC, 5000 Meridian Boulevard, Suite 400, Franklin, TN 37067, USA
• Digital guest directory: SABA Hospitality Technology Solutions Company Limited, Calcada do Gaio, n 3, R/C, Loja B, Macao
• Guest Administration: HotelKey Inc, 4100 Midway Road, #2115, Carrollton, Texas 75007 USA

3.6 Table booking

1. If you book a table for our restaurant via the “OpenTable” booking portal, your personal data will be provided to us.
2. The legal basis for the processing is your consent pursuant to Article 6 (1) (a) GDPR in conjunction with Article 6 (1) (b) GDPR (necessity for the initiation and performance of the contract).
3. The contact details of the provider of the booking portal are as follows: OpenTable GmbH, Schumannstr. 27, 60325 Frankfurt. (Tel.: +49 800 36 38 466 / Fax: +49 (0) 69 2 55 77 66 5 / E-Mail: gastservice@opentable.de).

3.7 Video surveillance

Below you will find our data protection notice within the meaning of Article 13 GDPR on the processing of personal data in the context of our video surveillance.

1. The processing of video recordings is based on Article 6 (1) (f) GDPR; the so-called legitimate interest.
2. Our legitimate interests are:

• Safeguarding domiciliary rights
• Protection against theft, protection of property
• Investigation of burglary and theft
• Protection of guests and employees

3. The video recordings are processed exclusively for the purposes described.
4. Any further use or disclosure of the video recordings will only take place if this is necessary in the context of possible criminal prosecution. In this case, the recipients are the responsible law enforcement authorities.
5. We use external service providers to maintain the video surveillance system, whereby access to the video surveillance system or stored video recordings cannot be ruled out.
6. The video recordings are deleted 3 days after recording, provided that no special incidents have occurred that justify or require further storage.

3.8 Reputation management

1. We use the online reputation management platform of MARA Solutions GmbH (Tullastraße 15, GER- 68161 Mannheim) for the evaluation and processing of guest reviews.
2. The legal basis for the processing is the balancing of interests pursuant to Article 6 (1) (f) GDPR. Our legitimate interest is to establish efficient processes for the management of guest reviews.
3. We have concluded a data protection agreement with the provider.

3.9 Personnel application

For reasons of better readability, the simultaneous use of masculine and feminine and diverse language forms is dispensed with in the following explanations. All personal designations apply to all genders: m/f/d.

3.9.1 Direct applications

1. We offer you the opportunity to apply for a job with us (e.g. via our website, by e-mail or by post). In the following, we inform you about the scope, purpose and use of your personal data collected as part of the application process. We assure you that your data will be collected, processed and used in accordance with applicable data protection law and all other statutory provisions and that your data will be treated in strict confidence.
2. Scope and purpose of data collection

If you send us an application, we will process your associated personal data (e.g. contact and communication data, application documents, notes taken during job interviews, etc.) insofar as this is necessary to decide on the establishment of an employment relationship. The legal basis for this is Section 26 BDSG (initiation of an employment relationship), Article 6 (1) (b) GDPR (general contract initiation) and – if you have given your consent – Article 6 (1) (a) GDPR. Consent can be revoked at any time. Your personal data will only be passed on within our company to persons who are involved in processing your application.

3. If the application is successful, the data submitted by you will be stored in our data processing systems on the basis of Section 26 BDSG (Federal Data Protection Act) and Article 6 (1) (b) GDPR for the purpose of implementing the employment relationship.
4. Data retention period

If we are unable to make you a job offer, you reject a job offer or withdraw your application, we reserve the right to retain the data you have submitted on the basis of our legitimate interests (Article 6 (1) (f) GDPR) for up to 6 months from the end of the application process (rejection or withdrawal of the application). The data will then be deleted and the physical application documents destroyed. The retention serves in particular as evidence in the event of a legal dispute. If it is apparent that the data will be required after the 6-month period has expired (e.g. due to an impending or pending legal dispute), the data will only be deleted when the purpose for further storage no longer applies.

Longer storage may also take place if you have given your consent (Article 6 (1) (a) GDPR) or if statutory retention obligations prevent deletion.

3.9.2 Inclusion in the applicant pool

1. If we do not make you a job offer, you may have the opportunity to be included in our applicant pool. If you are accepted, all documents and details from your application will be transferred to the applicant pool so that you can be contacted in the event of suitable vacancies.
2. Inclusion in the applicant pool is based exclusively on your express consent (Article 6 (1) (a) GDPR). Giving consent is voluntary and is not related to the current application process. The data subject can withdraw their consent at any time. In this case, the data will be irrevocably deleted from the applicant pool, provided there are no legal grounds for retention.
3. The data from the applicant pool will be irrevocably deleted no later than two years after consent has been granted.

3.9.3 Vacancies

1. If you apply to us via the “HotelCareer” applicant portal, your personal data will be provided to us.
2. The legal basis for the processing is your consent in accordance with Article 6 (1) (a) GDPR in conjunction with Article 6 (1) (b) GDPR (necessity for the initiation and execution of the contract).
3. The contact details of the provider of the applicant portal are: StepStone Deutschland GmbH, Völklinger Straße 1, 40219 Düsseldorf, Germany (Tel: +49 (0) 211 – 93 493 0 / E-Mail: info@stepstone.de).

4 Cookie policy

4.1 General information

1. Cookies are pieces of information that are transferred from our web server or third-party web servers to the user’s web browser and stored there for later retrieval. Cookies can be small files or other types of information storage.
2. If users do not want cookies to be stored on their computer, they are asked to deactivate the corresponding option in the system settings of their browser. Stored cookies can be deleted in the system settings of the browser. The exclusion of cookies can lead to functional restrictions of this online offer.

4.2 Cookie overview, objection

1. An up-to-date overview of the cookies and services used on this website can be found in the consent management platform “CCM19 Cloud” (see section 3 “Consent management”).
2. You can also manage your individual consents and preferences there.

5 Changes to the privacy policy

1. We reserve the right to amend this privacy policy with regard to data processing in order to adapt it to changed legal situations or to changes in data processing.
2. If the consent of the data subjects is required or components of the privacy policy contain provisions of the contractual relationship with the data subjects, the changes will only be made with the consent of the data subjects.
3. Data subjects are requested to inform themselves regularly about the content of this privacy policy.

Status: May 2025