Privacy Policy – Aurelo Cycling
1. Introduction
This Privacy Policy explains how personal data is collected, used, and protected when you visit or interact with the website www.aurelocycling.com and use services provided under the brand Aurelo Cycling.
We are committed to handling your data responsibly and in accordance with the EU General Data Protection Regulation (GDPR).
2. Data Controller
The data controller responsible for data processing on this website is:
GBI Event GmbH
Represented by its management
Address: as stated in the legal notice (Imprint)
Email: info@aurelocycling.com
Aurelo Cycling is a brand operated by GBI Event GmbH.
3. Scope of this Privacy Policy
This Privacy Policy applies to all personal data processed when:
- Visiting our website
- Using our contact form
- Making bookings via our booking system
- Interacting with embedded content or services
- Accepting or managing cookies
Personal data refers to any information that can identify you directly or indirectly.
4. General Principles of Data Processing
We process personal data only when legally permitted. This includes:
- Providing a functional website
- Handling inquiries and bookings
- Fulfilling contractual obligations
- Improving user experience and website performance
- Complying with legal obligations
We do not sell personal data.
5. Hosting and Server Log Files
When you access our website, technical data is automatically transmitted by your browser and temporarily stored on our servers.
This includes:
- IP address
- Date and time of access
- Requested page or file
- Referrer URL
- Browser type and version
- Operating system
- Internet service provider
Purpose of processing:
- Ensuring website stability and security
- Detecting and preventing misuse
- Technical administration
Legal basis:
- Art. 6(1)(f) GDPR – legitimate interest in secure and stable website operation
Storage duration:
- Server log files are stored for a maximum of 14 days and then automatically deleted or anonymized.
No merging with other data sources takes place.
6. Cookies and Consent Management
Our website uses cookies and similar technologies.
Cookies are small text files stored on your device.
We distinguish between:
a) Technically necessary cookies; These are required for the website to function properly (e.g. session management, security, booking processes).
b) Optional cookies; These are used only with your consent, for example for analytics or marketing purposes.
Consent management:
We use a cookie consent tool (CCM19) to obtain and manage user consent in compliance with GDPR and ePrivacy rules.
You can change or withdraw your consent at any time via the cookie settings on our website.
7. Matomo Analytics (Self-Hosted)
We use Matomo, a self-hosted web analytics service, to understand how visitors use our website.
Matomo is operated on our own servers, meaning data is not shared with third parties.
Data processed:
- IP address (shortened/anonymized where possible)
- Device and browser information
- Pages visited
- Referrer URL
- Time spent on pages
- Geographic approximation (based on IP)
Purpose:
- Website optimization
- Performance analysis
- Improving content and user experience
Legal basis:
- Art. 6(1)(a) GDPR – consent (via cookie banner)
Storage:
- Data is stored only as long as necessary for statistical analysis and is not used to identify individual users.
8. Contact Form and Communication
When you contact us via the contact form or by email, we process the personal data you provide.
Data processed:
- Name
- Email address
- Message content
- Any additional information you voluntarily provide
Purpose of processing:
- Responding to inquiries
- Customer communication
- Preparation or execution of contracts
Legal basis:
- Art. 6(1)(b) GDPR – pre-contractual measures / contract performance
- Art. 6(1)(f) GDPR – legitimate interest in responding to inquiries
Storage duration:
- We store inquiry data only as long as necessary to process the request, and no longer than 12 months unless statutory retention obligations apply.
9. Booking System (Regiondo)
We use Regiondo GmbH, Mühldorfstr. 8, 81671 Munich, Germany, as our booking and ticketing system.
When you make a booking, personal data is processed directly by Regiondo as part of the booking flow.
Data processed:
- First and last name
- Address
- Email address
- Booking details (tour, date, participants)
- Payment-related data (processed via payment providers)
Purpose of processing:
- Booking management
- Contract execution
- Payment handling
- Ticket issuance and customer support
Legal basis:
- Art. 6(1)(b) GDPR – contract performance
Regiondo acts as a data processor under Art. 28 GDPR. A corresponding data processing agreement (DPA) is in place.
Further information: https://www.regiondo.com/de/datenschutz/
10. Payment Processing (Stripe & Google Pay)
Stripe
We use Stripe, provided by Stripe Payments Europe Ltd. / Stripe, Inc., for secure online payment processing.
Stripe processes payment data directly. We do not store full credit card details.
Data processed:
- Payment information
- Transaction data
- Billing details
- Device and technical data for fraud prevention
Purpose:
- Payment processing
- Fraud prevention
- Financial transaction handling
Legal basis:
- Art. 6(1)(b) GDPR – contract performance
- Art. 6(1)(f) GDPR – fraud prevention and security
Stripe may transfer data to the United States. This is based on Standard Contractual Clauses (SCCs) under Art. 46 GDPR.
Further information: https://stripe.com/privacy
Google Pay
If you choose Google Pay as a payment method, payment data is processed by Google Ireland Limited.
Data processed:
- Payment credentials
- Device information
- Transaction data
- Billing and shipping details
Purpose:
- Payment processing via Google Pay
- Fraud prevention and security
Legal basis:
- Art. 6(1)(a) GDPR (consent) and/or Art. 6(1)(b) GDPR (contract performance)
Google may process data outside the EU under appropriate safeguards (SCCs).
Further information: https://policies.google.com/privacy
11. hCaptcha (Bot Protection)
We use hCaptcha provided by Intuition Machines Inc. to protect our website from spam, abuse, and automated access.
Data processed:
- IP address
- Browser and device information
- Interaction patterns (mouse movement, clicks, scroll behavior)
- Time and usage data
Purpose:
- Protection against bots and abuse
- Security of forms and booking processes
Legal basis:
- Art. 6(1)(a) GDPR – consent (via cookie banner)
- Art. 6(1)(f) GDPR – legitimate interest in website security
Data may be transferred to the United States under Standard Contractual Clauses.
Further information: https://www.hcaptcha.com/privacy
12. Social Media (Instagram)
Our website may include embedded Instagram content or plugins provided by Meta Platforms Ireland Ltd.
Embedded content is only activated after you explicitly interact with it (two-click solution). Before activation, no data is transmitted to Instagram.
Once activated, Instagram may process the following data:
IP address
- Device and browser information
- Interaction with our website
- Cookies and tracking data (if you are logged into Instagram)
- If you are logged into your Instagram account, Meta may associate your visit with your personal profile.
Purpose of processing:
- Displaying social media content
- Improving user experience
- External communication and marketing presence
Legal basis:
- Art. 6(1)(a) GDPR – consent
- Art. 6(1)(f) GDPR – legitimate interest in external communication
Data may be transferred to third countries (including the United States). Meta relies on Standard Contractual Clauses (SCCs) under Art. 46 GDPR.
Further information: https://privacycenter.instagram.com/policy
13. Social Media Links
Our website contains links to external social media platforms, including Instagram.
These are simple hyperlinks, not embedded plugins.
No data is transmitted to these platforms unless you actively click the link.
Once you click a link, the respective platform becomes responsible for data processing.
14. Data Sharing and Recipients
We only share personal data when necessary and legally permitted.
Data may be shared with:
- Booking and payment service providers (e.g. Regiondo, Stripe, Google Pay)
- IT and hosting providers
- Technical service providers (e.g. analytics, security tools)
- Public authorities, if legally required
We do not sell personal data to third parties.
All processors are contractually bound under Art. 28 GDPR.
15. International Data Transfers
Some of the services we use may process data outside the European Union or the European Economic Area, particularly in the United States.
This applies especially to:
- Stripe
- hCaptcha
- Meta (Instagram)
Where data is transferred outside the EU, we ensure appropriate safeguards, including:
Standard Contractual Clauses (SCCs) approved by the European Commission
Additional technical and organizational security measures where required
Despite these safeguards, data processing in third countries may involve residual risks, such as limited access rights for EU data protection authorities.
16. Storage Duration
We only store personal data for as long as necessary for the respective purpose.
Retention periods depend on:
- Contractual requirements
- Legal retention obligations (e.g. tax or commercial law)
- Legitimate business interests
Once the purpose no longer applies, data is deleted or anonymized.
17. Your Rights under the GDPR
As a data subject, you have the following rights under the EU General Data Protection Regulation (GDPR):
- Right of access (Art. 15 GDPR): You can request information about the personal data we process about you.
- Right to rectification (Art. 16 GDPR): You may request correction of inaccurate or incomplete data.
- Right to erasure (Art. 17 GDPR): You may request deletion of your personal data, provided no legal retention obligations apply.
- Right to restriction of processing (Art. 18 GDPR): You may request limited processing of your data under certain conditions.
- Right to data portability (Art. 20 GDPR): You may request to receive your data in a structured, commonly used format.
- Right to object (Art. 21 GDPR): You may object to processing based on legitimate interests.
- Right to withdraw consent (Art. 7(3) GDPR): You may withdraw your consent at any time with effect for the future.
To exercise your rights, please contact:
18. Right to Lodge a Complaint
You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data violates the GDPR.
The competent authority is generally:
The State Commissioner for Data Protection of the federal state in which GBI Event GmbH is located.
19. Data Security
We implement appropriate technical and organizational measures to protect personal data against:
- Unauthorized access
- Loss
- Misuse
- Alteration or destruction
These measures are designed in accordance with Art. 32 GDPR and are continuously improved in line with technological developments.
20. Changes to this Privacy Policy
We reserve the right to update this Privacy Policy from time to time to reflect:
- Legal changes
- Technical developments
- Changes in our services or data processing activities
The current version is always available on www.aurelocycling.com.