Privacy policy

Status: 04/05/2026

1. General Information

Protecting your personal data is especially important to us. We process your personal information exclusively on the basis of the applicable legal provisions (GDPR, DSG, TKG 2003).

To provide our website, to handle the sale of our products, and to deliver our services, we process information about you as a person, known as personal data – or simply “data” for short. The term “processing” covers any use of this data, such as collecting, storing, using, or deleting personal data.

We are happy to inform you in our Privacy Policy about how your personal data is processed and about the claims and rights to which you are entitled under data protection regulations.

The party responsible for processing your personal data is:

• LTR Loipersdorf Spa Resort GmbH
• Thermenstraße 152, 8282 Bad Loipersdorf
• Tel. no.: +43 3382 8204
• Email: [email protected]

If you have any concerns, questions or suggestions regarding data protection, we are always happy to assist you using the contact details provided.

2. Data processing in connection with our website and online shop

2.1. General Information

As part of our website and online shops, we process data that you provide to us (for example when placing orders), logs (our servers record who submits requests for security reasons), and cookies (these are small text files stored on your device that contain information used to recognize you again).

The web server for operating our website is technically run by Google Cloud Platform and Vercel Inc. as well as Sanity.io as processors.

The information generated is generally transmitted to servers of Google/Vercel/Sanity in the USA/Europe and stored there. An appropriate level of protection is ensured by standard contractual clauses in accordance with Art. 46 GDPR.

• Google: https://privacy.google.com/businesses/processorterms/
• Vercel: https://vercel.com/legal/privacy-policy
• Sanity: https://www.sanity.io/legal/privacy

Google, Vercel and Sanity act as our data processors and are only permitted to use the data for fulfilling our contractual obligations.

To prevent third-party cookies from being set, you can block so‑called third‑party cookies in your browser. Below you’ll find instructions for the most common browsers:

• Firefox
• Chrome
• Edge
• Safari: In Apple’s Safari, third-party cookies are blocked by default.

2.2. Data processing for the operation and security of our website and our online shop (server logs)

2.2.1. Server logs

Purpose of processing:
When you visit our website, the web server collects usage data (so‑called server logs). Collecting this data is necessary to technically enable the connection to our server and the use of the website. In addition, this data is used to prevent and analyze attacks.

The following server logs are collected:The IP address of the requesting device, together with the date, time, request, which file is requested (name and URL), the volume of data transmitted to you, a message indicating whether the request was successful, identification data of the browser and operating system used, as well as the website from which access took place (if access occurs via a link).

Legal basis for processing:We process your data on the basis of our legitimate interest in ensuring the operation of the service and the security of our systems.

Recipients of the data: The web server for operating our website is technically run by Google Cloud Platform (frontend), Vercel Inc. (backend) and Sanity.io as processors. In the event of a hacker attack, the data from the server logs will be passed on to law enforcement authorities. No further transfer to third parties takes place.

Further information:The server logs are stored for a maximum of30 days.

2.3. Data Processing for Marketing Purposes:

2.3.1. Web Analytics

We use the tool listed below to process data about how you use our website and online shop, so we can tailor them as closely as possible to your interests.

GOOGLE ANALYTICS

A web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”)

Purpose of processing:
Google Analytics stores cookies to recognize you and then create personalized user statistics about your website activities. In addition, we have activated Google’s “anonymize IP” module. This means that the IP address assigned to you is anonymized by Google within the European Union.
The cookies stored on your device by Google Analytics are determined by the data protection settings in the cookie banner provided by Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, Germany.

Legal basis for processing:Your data is processed on the basis of your consent. When you agree to the processing of your data in our cookie banner, you give us permission to process your data to the extent described here.

Recipients of the data:The information generated by the cookie about your use of this website is generally transmitted to a Google server in the USA and stored there. The appropriate level of protection for this transfer is ensured by standard contractual clauses in accordance with Art. 46 GDPR. You can find further information on the standard contractual clauses and suitable or appropriate safeguards athttps://privacy.google.com/businesses/processorterms/Google acts for us as a data processor and may use the transmitted data only for handling the specific orders. By contract, Google is obliged to comply with the statutory data protection regulations towards us.

Further information:
You can prevent cookies from being stored by adjusting the settings in your browser software. Please note, however, that in this case you may not be able to use all functions of the websites to their full extent. You can also prevent Google from collecting the data generated by the cookie and related to your use of the websites (including your anonymised IP address), as well as from processing this data, by downloading and installing the browser plug-in available at the following link (http://tools.google.com/dlpage/gaoptout?hl=de).

WEB ANALYTICS

Web analytics tool and voucher shop by INCERT eTourism GmbH & Co KG:

Purpose of processing: On our website, we use a web analytics tool from INCERT eTourism GmbH & Co KG . The data is processed to create statistical evaluations and to technically optimise our online offering. Web analytics allow us to see how many guests visit our website, which pages and categories are particularly popular, and which content is of less interest. The data required for this analysis is collected using so‑called tracking pixels (small image files integrated into our website that make it possible to analyse your usage behaviour) or via server log files.

The following user data is collected through our web analytics:

• Referrer (previously visited website)
• Requested webpage or file
• Browser type and browser version
• Operating system used
• Device type used
• Time of access
• IP address
• App Updates
• Click path
• Date and time of visit
• Downloads
• Flash version
• Location information
• JavaScript support
• Visited pages
• Purchase activity
• Widget interactions

To ensure that no conclusions can be drawn about individual users of our website, IP addresses are immediately anonymised. This means that no personal data is processed.

Recipients of the data:The analysis of the collected data is carried out exclusively by us; the data is not passed on to third parties.

Further information:Your data will be stored for a maximum of7 years.

Web analytics tool Microsoft Clarity:

This is a web analytics service provided by Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18 D18 P521, Ireland. It is used to collect data on user behavior and to analyze usability (e.g. heatmaps, session recordings with masking of sensitive data).

Recipients of the data:The analysis of the collected data is carried out exclusively by us; the data is not passed on to any third parties.

You can find more information about Microsoft Clarity and the exact scope and purpose of data processing in the Microsoft Clarity Privacy Statement at https://learn.microsoft.com/en-us/clarity/faq#privacy. The party responsible for data processing is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18 D18 P521, Ireland

2.3.2. Remarketing

We also use the remarketing function of Google Ads and Google DoubleClick, an online marketing service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”).

Purpose of processing:To display advertising on our website that is tailored to you and to analyse how you interact with these ads. Using this tool also enables us to present interest-based advertising.

Legal basis for processing:Your data is processed on the basis of your consent.

Recipients of the data:The information generated by the cookie about your use of the website is generally transmitted to a Google server in the USA and stored there. The appropriate level of protection for this transfer is ensured by standard contractual clauses in accordance with Art. 46 GDPR. You can find further information on the standard contractual clauses and suitable or appropriate safeguards athttps://privacy.google.com/businesses/processorterms/Google acts for us as a data processor and may use the transmitted data only for handling the specific assignments. By contract, Google is obliged to comply with the statutory data protection regulations towards us.

Additional platforms:We run advertising on Google Ads/YouTube, Microsoft Ads (including Edge), Meta Ads (Facebook/Instagram), and TikTok. Data is processed based on your consent; data is transferred to US-based servers using SCCs. Details:

• TikTok: https://ads.tiktok.com/help/article/privacy-policy
• Microsoft Ads: https://privacy.microsoft.com/de-de/privacystatement.

2.4. Data processing in the context of our social media activities:

We use what are known as “social media plugins”. These allow us to display interactive elements or content (e.g. text posts, graphics, images and videos) from social media services for you. Through these plugins, data – including personal data – may be transmitted to the social media service providers and potentially used by them.

When you visit our website, a direct connection between your browser and the server of the social media service provider is only established via the social media plugins once you have consented to the transfer of your data.

We currently use social media plugins from the following providers:

META (Facebook/Instagram)

The plugins can display interactive elements or content (e.g. videos, graphics or text posts). We use plugins from the Meta service (recognizable by the Facebook “f” logo, the “Like” button or the Instagram icon). With these plugins, you can “like” a post on our website or share it on Facebook. Data is only transmitted to Meta once you have given your consent to their use.

The cookies stored by Meta on your device are determined by the data protection settings you select in the cookie banner provided by Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, Germany.

You can find more information about Meta and the exact scope and purpose of data processing in Meta’s privacy policy at https://www.facebook.com/privacy/explanation. The party responsible for data processing is Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland

YOUTUBE

We use plugins from the YouTube service on our website. These plugins may display interactive elements or content (e.g. videos, graphics or text posts). Through these plugins, data can be transmitted to YouTube and may be used by YouTube. Data is only transmitted to YouTube once you have given your consent to its use.

The cookies stored by Google on your device are determined by the privacy settings you selected in the cookie banner provided by Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, Germany.

You can find more information about YouTube and the exact scope and purpose of data processing in Google’s Privacy Policy at
https://policies.google.com/privacy. The party responsible for data processing is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

2.5. Other Third-Party Providers

To enhance our website, we also use the following third-party providers:

GOOGLE MAPS

By integrating Google Maps, we can display Google’s map service directly on our website and enable you to use the map function. Through this integration, data may be sent to Google and potentially used by Google. When you visit our website, no data is transmitted to Google automatically.

When integrating Google Maps into our website, we use the so‑called “two-click solution”. This means that no data is automatically transmitted to Google when you visit our website. Only once you click the relevant button on the Google Maps map will data be transmitted to Google.

The appropriate level of protection for the transfer is ensured by standard contractual clauses in accordance with Art. 46 GDPR. You can find more information about the standard contractual clauses and suitable or appropriate safeguards at https://privacy.google.com/businesses/processorterms/. Google acts for us as a data processor and may use the transmitted data only for handling the specific assignments. By contract, Google is obliged to comply with the statutory data protection regulations towards us.

CLOUDFLARE

This service enhances the security and performance of websites. By integrating Cloudflare, data may be transmitted to a server in the USA. The appropriate level of protection for this transfer is ensured by standard contractual clauses in accordance with Art. 46 GDPR. You can find further information on the standard contractual clauses and suitable or appropriate safeguards at https://www.cloudflare.com/de-de/privacypolicy/?utm_referrer=https://www.google.com/. Cloudflare acts for us as a data processor and may use the transmitted data only for handling the specific assignments. By contract, Cloudflare is obliged to comply with the statutory data protection regulations.

HEYFLOW

By integrating Heyflow, we can display interactive web forms (also called “flows”) and other Heyflow features on our website and in our online shop. The party responsible for data processing is Heyflow GmbH, Jungfernstieg 49, 20354 Hamburg, Germany.Further information about Heyflow and the exact scope and purpose of data processing.

Enquiries about massage and beauty appointments are forwarded to our wellness partner Merkur Lifestyle GmbH for further contact and appointment scheduling. Enquiries about the day packages "Romantic Day Spa" and "Breakfast and Spa" are forwarded to GSL Thermenhotel Loipersdorf Betriebs GmbH for further contact and appointment scheduling.

3. Data processing for direct marketing purposes:

Purpose and legal basis of processing:If we have received your contact details in connection with a purchase or a service, we also process this data so that, based on our legitimate interest, we can send you promotional information by post and email (including newsletters) about our own similar products and services.

If you no longer wish to be contacted by us, no problem. Simply get in touch at [email protected].

Recipients of the data:The following service providers receive your data in order to create and send the newsletter on our behalf:

MAILCHIMP

an email marketing platform provided by the US company The Rocket Science Group, LLC, 675 Ponce de Leon Ave NE Suite 5000, Atlanta, GA 30308, USA. This company acts as a processor on our behalf and may only use your data to handle specific orders. It is contractually obliged to us to comply with the statutory data protection regulations. The appropriate level of protection for transferring data to the USA is ensured by standard contractual clauses in accordance with Art. 46 GDPR. You can find further information on the standard contractual clauses and suitable or appropriate safeguards at https://mailchimp.com/legal/data-processing-addendum/.

Further information:We process your data on the basis of your consent until you withdraw it or unsubscribe from the newsletter.

DIALOGSHIFT (DialogShift chat application on our website)

Our website uses the chat application of DialogShift GmbH, Torstr. 201, 10115 Berlin. This application processes and stores data for the purpose of web analysis, operating the chat application and responding to enquiries. To operate the chat function, chat texts are stored and a cookie with a unique ID is set – this serves to recognise returning guests. A cookie is a small text file that is stored locally in the cache on your device. With the help of this cookie, the application recognises the device and can retrieve past chat histories. This cookie is stored for 90 days from the last use. The storage of cookies can be disabled in your browser settings. However, without the use of cookies, the chat function cannot be provided. Any disclosure of, for example, your name, email address or telephone number is voluntary and constitutes your consent for us to use and store this data temporarily for the purpose of making contact until the end of the interaction. These personal data are deleted after 90 days.
The legal basis for data processing is Art. 6 para. 1 lit. a GDPR, § 25 para. 1 TTDSG on the basis of your consent.
DialogShift provides further information at https://www.dialogshift.com/datenschutz on the collection and use of data, as well as on your rights and options for protecting your privacy.

4. Data processing in the course of business operations:

4.1. Data processing in the context of making contact:

Purpose of processing:When you get in touch with us (e.g. by email, contact form or phone), we process the data you provide in the course of making contact solely to the extent necessary to handle and respond to your enquiry.

Legal basis for processing:Your data is processed for the purpose of carrying out pre-contractual measures and/or fulfilling a contractual relationship, or is based on our legitimate interest, namely the efficient organisation and handling of your enquiry.

Recipients of the data:These data will only be transmitted if such transmission is necessary in order to respond to your enquiry.

Further information:We process your data for as long as it is necessary to handle your enquiry and, beyond that, for a further seven years after our last contact with you in case of any follow-up enquiries.

4.2. Data processing in connection with orders and the customer account:

Purpose of processing:When you register on our website for our online shop (ticket shop or voucher shop), we process the data you provide during registration in order to establish our business relationship within the scope of the contractual agreement and to handle the services we offer.

Legal basis for processing:Your data is processed for the purpose of carrying out pre-contractual measures and fulfilling a contractual relationship.

Recipients of the data:If it is necessary to transfer the data relevant to your specific case for the fulfillment of the contractual relationship or on the basis of a legal requirement, it will be shared with the following recipients:

• INCERT eTourismus GmbH & Co KG

Further information:You can delete your user account at any time. To do so, simply send us an email at[email protected]requesting deletion of your user account. Once you have submitted your deletion request, your data will be erased by INCERT eTourism GmbH & Co KG no later than14 daysafter your user account has been deleted.

• TAC Informationstechnologie GmbH

Further information:You can delete your user account at any time. You can request the deletion of your user account by email at [email protected]. Once you have requested the deletion of your user account, your data will be deleted by TAC Informationstechnologie GmbH no later than 14 days after your user account has been deleted.

4.3. General data processing in connection with a guest booking:

Purpose of processing:When you place an order with us, we process your data to handle your order, to respond to any questions you may have in connection with your order, and to formally manage the business transactions we carry out for you as part of our business relationship.

Legal basis for processing:Your data is processed for the performance of a contractual relationship or is based on a legal requirement within the scope of a business relationship (or for the handling of such a relationship).

Recipients of the data:If it is necessary to transfer the data relevant to your individual case for the fulfillment of the contractual relationship or on the basis of a legal requirement, this will be done to the following categories of recipients:

• Loungers
• Legal representative
• Certified public accountants, auditors and tax consultants
• Dishes
• Competent administrative authorities
• Debt collection agency
• External financier
• Contractual and Business Partners
• Insurance
• Statistics Austria
• Transport company
• Suppliers

Further information:We only process your data for as long as this is necessary to fulfil our contractual relationship with you or to comply with legal obligations (such as statutory tax and corporate record-keeping requirements). As a rule, we retain data for seven years.

4.4. Data processing for the purpose of carrying out administrative activities

Purpose of processing:We operate a customer relationship management system and process your data in order to document and enhance our relationship with you as a guest (recording the content of communication between our team members and you).

Legal basis for processing:We process your data on the basis of our legitimate interest in optimising our customer-specific communication with you.

Recipients of the data:Your data will not be passed on to third parties for their own purposes.

Further information:We store your data until the end of the third year after our last contact with you.

5. Your Rights

5.1. Right of access to stored data pursuant to Article 15 GDPR

You have the right to request information about whether we process any personal data relating to you. If this is the case, you are entitled to receive information about this personal data as well as further details related to its processing.

5.2. Right to rectification of inaccurate data pursuant to Article 16 GDPR

If any personal data we process about you is not (or is no longer) accurate or is incomplete, you may request a correction and, where applicable, completion of this data.

5.3. Right to erasure of data pursuant to Article 17 GDPR

If the legal requirements are met, you can request the erasure of your personal data.

5.4. Right to restriction of data processing pursuant to Article 18 GDPR

If the legal requirements are met, you can request the restriction
of processing of your personal data.

5.5. Right to data portability pursuant to Article 20 GDPR

If the legal requirements are met, you can request that your data be transferred in a structured, commonly used and machine-readable format.

5.6. Right to object to unreasonable data processing pursuant to Article 21 GDPR

For reasons arising from your particular situation, you may at any time object to the processing of your personal data that we carry out on the basis of our legitimate interests in accordance with Art. 6 (1) (f) GDPR.

5.7. Right to withdraw consent

If processing is carried out on the basis of a declaration of consent, you have the option to withdraw this consent at any time, without affecting the lawfulness of the processing carried out on the basis of your consent up to the time of withdrawal.

5.8. Right to lodge a complaint with the data protection authority

If you believe that our processing of your personal data violates applicable data protection law, or that your data protection rights have been infringed in any other way, you have the option to lodge a complaint with the competent supervisory authority (Austrian Data Protection Authority). The address is:

• Austrian Data Protection Authority
• Barichgasse 40-42, 1030 Vienna
• Phone:+43 1 52 152-0
• Email: [email protected]

6. Further information:

The data we ask you to provide is required so that we can process the purchase of our products and the provision of our services within the scope of our contractual relationship, respond to any information requests you have made, and send you our newsletters and other information.

If you choose not to provide this data, we will unfortunately be unable to deliver our services.

No automated decision-making, including profiling, takes place. If we process your personal data for any purpose other than the one for which it was originally collected, we will inform you of this and let you know what the new purpose is.