Privacy Policy – Aurelo Cycling

1. Introduction

This Privacy Policy explains how personal data is collected, used, and protected when you visit or interact with the website www.aurelocycling.com and use services provided under the brand Aurelo Cycling.

We are committed to handling your data responsibly and in accordance with the EU General Data Protection Regulation (GDPR).

2. Data Controller

The data controller responsible for data processing on this website is:

GBI Event GmbH

Represented by its management

Address: as stated in the legal notice (Imprint)

Email: info@aurelocycling.com

Aurelo Cycling is a brand operated by GBI Event GmbH.

3. Scope of this Privacy Policy

This Privacy Policy applies to all personal data processed when:

  • Visiting our website
  • Using our contact form
  • Making bookings via our booking system
  • Interacting with embedded content or services
  • Accepting or managing cookies

Personal data refers to any information that can identify you directly or indirectly.

4. General Principles of Data Processing

We process personal data only when legally permitted. This includes:

  • Providing a functional website
  • Handling inquiries and bookings
  • Fulfilling contractual obligations
  • Improving user experience and website performance
  • Complying with legal obligations

We do not sell personal data.

5. Hosting and Server Log Files

When you access our website, technical data is automatically transmitted by your browser and temporarily stored on our servers.

This includes:

  • IP address
  • Date and time of access
  • Requested page or file
  • Referrer URL
  • Browser type and version
  • Operating system
  • Internet service provider

Purpose of processing:

  • Ensuring website stability and security
  • Detecting and preventing misuse
  • Technical administration

Legal basis:

  • Art. 6(1)(f) GDPR – legitimate interest in secure and stable website operation

Storage duration:

  • Server log files are stored for a maximum of 14 days and then automatically deleted or anonymized.

No merging with other data sources takes place.

6. Cookies and Consent Management

Our website uses cookies and similar technologies.

Cookies are small text files stored on your device.

We distinguish between:

a) Technically necessary cookies; These are required for the website to function properly (e.g. session management, security, booking processes).

b) Optional cookies; These are used only with your consent, for example for analytics or marketing purposes.

Consent management:

We use a cookie consent tool (CCM19) to obtain and manage user consent in compliance with GDPR and ePrivacy rules.

You can change or withdraw your consent at any time via the cookie settings on our website.

7. Matomo Analytics (Self-Hosted)

We use Matomo, a self-hosted web analytics service, to understand how visitors use our website.

Matomo is operated on our own servers, meaning data is not shared with third parties.

Data processed:

  • IP address (shortened/anonymized where possible)
  • Device and browser information
  • Pages visited
  • Referrer URL
  • Time spent on pages
  • Geographic approximation (based on IP)

Purpose:

  • Website optimization
  • Performance analysis
  • Improving content and user experience

Legal basis:

  • Art. 6(1)(a) GDPR – consent (via cookie banner)

Storage:

  • Data is stored only as long as necessary for statistical analysis and is not used to identify individual users.

8. Contact Form and Communication

When you contact us via the contact form or by email, we process the personal data you provide.

Data processed:

  • Name
  • Email address
  • Message content
  • Any additional information you voluntarily provide

Purpose of processing:

  • Responding to inquiries
  • Customer communication
  • Preparation or execution of contracts

Legal basis:

  • Art. 6(1)(b) GDPR – pre-contractual measures / contract performance
  • Art. 6(1)(f) GDPR – legitimate interest in responding to inquiries

Storage duration:

  • We store inquiry data only as long as necessary to process the request, and no longer than 12 months unless statutory retention obligations apply.

9. Booking System (Regiondo)

We use Regiondo GmbH, Mühldorfstr. 8, 81671 Munich, Germany, as our booking and ticketing system.

When you make a booking, personal data is processed directly by Regiondo as part of the booking flow.

Data processed:

  • First and last name
  • Address
  • Email address
  • Booking details (tour, date, participants)
  • Payment-related data (processed via payment providers)

Purpose of processing:

  • Booking management
  • Contract execution
  • Payment handling
  • Ticket issuance and customer support

Legal basis:

  • Art. 6(1)(b) GDPR – contract performance

Regiondo acts as a data processor under Art. 28 GDPR. A corresponding data processing agreement (DPA) is in place.

Further information: https://www.regiondo.com/de/datenschutz/

10. Payment Processing (Stripe & Google Pay)

Stripe

We use Stripe, provided by Stripe Payments Europe Ltd. / Stripe, Inc., for secure online payment processing.

Stripe processes payment data directly. We do not store full credit card details.

Data processed:

  • Payment information
  • Transaction data
  • Billing details
  • Device and technical data for fraud prevention

Purpose:

  • Payment processing
  • Fraud prevention
  • Financial transaction handling

Legal basis:

  • Art. 6(1)(b) GDPR – contract performance
  • Art. 6(1)(f) GDPR – fraud prevention and security

Stripe may transfer data to the United States. This is based on Standard Contractual Clauses (SCCs) under Art. 46 GDPR.

Further information: https://stripe.com/privacy

Google Pay

If you choose Google Pay as a payment method, payment data is processed by Google Ireland Limited.

Data processed:

  • Payment credentials
  • Device information
  • Transaction data
  • Billing and shipping details

Purpose:

  • Payment processing via Google Pay
  • Fraud prevention and security

Legal basis:

  • Art. 6(1)(a) GDPR (consent) and/or Art. 6(1)(b) GDPR (contract performance)

Google may process data outside the EU under appropriate safeguards (SCCs).

Further information: https://policies.google.com/privacy

11. hCaptcha (Bot Protection)

We use hCaptcha provided by Intuition Machines Inc. to protect our website from spam, abuse, and automated access.

Data processed:

  • IP address
  • Browser and device information
  • Interaction patterns (mouse movement, clicks, scroll behavior)
  • Time and usage data

Purpose:

  • Protection against bots and abuse
  • Security of forms and booking processes

Legal basis:

  • Art. 6(1)(a) GDPR – consent (via cookie banner)
  • Art. 6(1)(f) GDPR – legitimate interest in website security

Data may be transferred to the United States under Standard Contractual Clauses.

Further information: https://www.hcaptcha.com/privacy

12. Social Media (Instagram)

Our website may include embedded Instagram content or plugins provided by Meta Platforms Ireland Ltd.

Embedded content is only activated after you explicitly interact with it (two-click solution). Before activation, no data is transmitted to Instagram.

Once activated, Instagram may process the following data:

IP address

  • Device and browser information
  • Interaction with our website
  • Cookies and tracking data (if you are logged into Instagram)
  • If you are logged into your Instagram account, Meta may associate your visit with your personal profile.

Purpose of processing:

  • Displaying social media content
  • Improving user experience
  • External communication and marketing presence

Legal basis:

  • Art. 6(1)(a) GDPR – consent
  • Art. 6(1)(f) GDPR – legitimate interest in external communication

Data may be transferred to third countries (including the United States). Meta relies on Standard Contractual Clauses (SCCs) under Art. 46 GDPR.

Further information: https://privacycenter.instagram.com/policy

13. Social Media Links

Our website contains links to external social media platforms, including Instagram.

These are simple hyperlinks, not embedded plugins.

No data is transmitted to these platforms unless you actively click the link.

Once you click a link, the respective platform becomes responsible for data processing.

14. Data Sharing and Recipients

We only share personal data when necessary and legally permitted.

Data may be shared with:

  • Booking and payment service providers (e.g. Regiondo, Stripe, Google Pay)
  • IT and hosting providers
  • Technical service providers (e.g. analytics, security tools)
  • Public authorities, if legally required

We do not sell personal data to third parties.

All processors are contractually bound under Art. 28 GDPR.

15. International Data Transfers

Some of the services we use may process data outside the European Union or the European Economic Area, particularly in the United States.

This applies especially to:

  • Stripe
  • Google
  • hCaptcha
  • Meta (Instagram)

Where data is transferred outside the EU, we ensure appropriate safeguards, including:

Standard Contractual Clauses (SCCs) approved by the European Commission

Additional technical and organizational security measures where required

Despite these safeguards, data processing in third countries may involve residual risks, such as limited access rights for EU data protection authorities.

16. Storage Duration

We only store personal data for as long as necessary for the respective purpose.

Retention periods depend on:

  • Contractual requirements
  • Legal retention obligations (e.g. tax or commercial law)
  • Legitimate business interests

Once the purpose no longer applies, data is deleted or anonymized.

17. Your Rights under the GDPR

As a data subject, you have the following rights under the EU General Data Protection Regulation (GDPR):

  • Right of access (Art. 15 GDPR): You can request information about the personal data we process about you.
  • Right to rectification (Art. 16 GDPR): You may request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17 GDPR): You may request deletion of your personal data, provided no legal retention obligations apply.
  • Right to restriction of processing (Art. 18 GDPR): You may request limited processing of your data under certain conditions.
  • Right to data portability (Art. 20 GDPR): You may request to receive your data in a structured, commonly used format.
  • Right to object (Art. 21 GDPR): You may object to processing based on legitimate interests.
  • Right to withdraw consent (Art. 7(3) GDPR): You may withdraw your consent at any time with effect for the future.

To exercise your rights, please contact:

info@aurelocycling.com

18. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data violates the GDPR.

The competent authority is generally:

The State Commissioner for Data Protection of the federal state in which GBI Event GmbH is located.

19. Data Security

We implement appropriate technical and organizational measures to protect personal data against:

  • Unauthorized access
  • Loss
  • Misuse
  • Alteration or destruction

These measures are designed in accordance with Art. 32 GDPR and are continuously improved in line with technological developments.

20. Changes to this Privacy Policy

We reserve the right to update this Privacy Policy from time to time to reflect:

  • Legal changes
  • Technical developments
  • Changes in our services or data processing activities

The current version is always available on www.aurelocycling.com.

 

هل من شيء آخر؟

اتصل بنا من هنا.

*الحقول الإلزامية