This Privacy Policy explains how EscapeVenture GmbH and Kiutel Limited (“we”, “us”, “our”) collect, process, and protect personal data. We comply with the General Data Protection Regulation (GDPR) and all relevant provisions of the German Telecommunications and Telemedia Data Protection Act (TTDSG).

1. Controller

The controller according to the GDPR is:

For bookings made via QuinBook, Kiutel Limited is also responsible where bookings relate to the locations Magdeburg or Leipzig.

2. Categories of Personal Data We Process

• Contact and identity data: name, address, email address, phone number (optional).
• Booking data (QuinBook): date/time, number of participants, booking history, payment status.
• Website usage data: IP address, browser details, operating system, time of access, pages viewed, session duration, referrer URL.
• Payment data: billing address, transaction metadata (credit card details are processed only by Stripe or PayPal).
• Cookies & tracking data: cookie IDs, consent status, device and interaction data.

3. Purposes & Legal Bases of Processing

• Contract execution / booking management (Art. 6(1)(b) GDPR)
• Customer communication & support (Art. 6(1)(b), (f) GDPR)
• Website hosting & security (STRATO) (Art. 6(1)(f) GDPR)
• Analytics & performance measurement (Google Analytics) (Art. 6(1)(a) GDPR — consent required)
• Payment processing (Stripe & PayPal) (Art. 6(1)(b), (f) GDPR)
• Compliance with legal obligations (Art. 6(1)(c) GDPR)

4. Hosting & Server Log Files (STRATO)

Our website is hosted by STRATO AG, Otto-Ostrowski-Straße 7, 10249 Berlin, Germany. STRATO processes the following data:

• IP address (usually anonymised after 24 hours),
• date and time of access,
• pages requested,
• data volume transferred,
• browser and operating system information.

The processing is based on Art. 6(1)(f) GDPR (legitimate interest in secure website operation). A Data Processing Agreement (DPA) according to Art. 28 GDPR is in place with STRATO.

5. Cookies & Consent Management

We use cookies and similar technologies in accordance with TTDSG § 25 and Art. 6 GDPR.

• Essential Cookies (no consent required) – session cookies, security cookies, consent-management cookies.
• Non-essential / consent-based cookies – Google Analytics cookies – Marketing and tracking cookies – Some Stripe/PayPal cookies (fraud detection)

You may withdraw your consent at any time via the cookie-banner settings. Cookies can also be disabled in your browser settings.

6. Google Analytics

We use Google Analytics 4, provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics may collect:

• anonymised IP addresses,
• user interactions (clicks, scrolls, events),
• pages visited, session duration,
• device and browser information,
• referrer URLs.

IP anonymisation is enabled. Processing is based solely on your consent (Art. 6(1)(a) GDPR). You may withdraw your consent at any time.

Google may process data in the United States. Transfers are covered by the EU–US Data Privacy Framework and Google’s implemented safeguards. A DPA with Google has been signed.

Browser opt-out plugin: https://tools.google.com/dlpage/gaoptout

7. Booking System: QuinBook

For online bookings we use **QuinBook**, provided by:

Woizzer AG
Oeverseestraße 10–12
22769 Hamburg, Germany

QuinBook processes:

• name and contact details,
• booking date, time, participants, selected experience,
• pricing, discounts, vouchers,
• payment status and payment IDs (Stripe/PayPal).

Processing is necessary for contract execution (Art. 6(1)(b) GDPR). A Data Processing Agreement (DPA) is in place with Woizzer AG (QuinBook).

8. Payment Providers: Stripe & PayPal

Stripe
Stripe Payments Europe Ltd.
1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland

PayPal
PayPal (Europe) S.à r.l. et Cie, S.C.A.
22–24 Boulevard Royal, L-2449 Luxembourg

They may process:

• payment amount, currency, timestamps,
• pseudonymised payment IDs,
• billing and (optional) delivery addresses,
• email address of the payment account,
• technical/fraud prevention data.

Processing is based on Art. 6(1)(b) GDPR (contract) and Art. 6(1)(f) GDPR (fraud prevention). Both providers may transfer data to the USA under the EU–US Data Privacy Framework.

9. Data Retention Periods

• Booking & contract data: 6–10 years (legal retention).
• Server log files: anonymised after approx. 24 hours.
• Google Analytics: up to 14 months.
• Contact enquiries: up to 12 months.
• Payment records: up to 10 years.
• Cookies: according to cookie-banner definitions.

10. Your Rights

You have the right to:

• access your personal data (Art. 15 GDPR),
• rectification (Art. 16 GDPR),
• erasure (Art. 17 GDPR),
• restriction of processing (Art. 18 GDPR),
• data portability (Art. 20 GDPR),
• object to processing (Art. 21 GDPR),
• withdraw consent (Art. 7(3) GDPR).

To exercise your rights, please contact: alexander@escapeventure.com

11. Withdrawal of Consent / Opt-Out

You may withdraw consent for analytics or marketing cookies at any time via the cookie-banner settings.

Additionally, you may disable Google Analytics via the browser add-on: https://tools.google.com/dlpage/gaoptout

12. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority. The relevant authority for us is:

State Commissioner for Data Protection Saxony-Anhalt
P.O. Box 19 47
39009 Magdeburg
Germany

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect legal changes or to incorporate new services or processing operations. The latest version is always available on this website.
Last updated: 2025