Privacy policy of the Carthago Group (Carthago Reisemobilbau GmbH, Malibu GmbH & Co. KG and Carthago d.o.o.)

1. Data protection at a glance

General notes

The following notes provide a simple summary of what happens to your personal data when you visit this website. Personal data is all data by which you can be personally identified. For detailed information on data protection, please see our privacy policy further below.

Collection of data on this website

Who is responsible for the collection of data on this website?

The website operator is responsible for processing data on this website. Their contact details can be found in the “Notes on data controller” section of this privacy policy.

How do we collect your data?

Firstly, your data is collected when you disclose it to us. For instance, this might be data that you enter in a contact form.

Other data is collected by our IT systems when you visit the website, either automatically or after you give your consent. This primarily consists of technical data (e.g. internet browser, operating system or time of page access). This data is collected automatically as soon as you enter this website.

What do we use your data for?

Some of the data is collected to ensure the error-free functioning of the website. Other data may be used to analyse your user behaviour.

What rights do you have in relation to your data?

You have the right to obtain information – at any time and free of charge – about the origin and recipients of your personal data, as well as the purpose for which it is being stored. You also have the right to request the rectification or erasure of this data. If you have granted consent to data processing, you may withdraw this consent at any time, with effect for the future. In addition, you have the right – under certain circumstances – to request that the processing of your personal data be restricted. Furthermore, you have the right to lodge a complaint with the competent supervisory authority.

If you have any questions about this or other data protection matters, please feel free to contact us at any time.

Analytics tools and third-party tools

When you visit this website, your browsing behaviour may undergo statistical analysis. This is primarily carried out using analytics programs.

Detailed information on these analytics programs can be found in the privacy policy below.

2. Hosting

We host the content of our website with the following provider:

External hosting

This website is hosted externally. The personal data collected on this website is stored on the servers of our host(s). This may include IP addresses, contact requests, meta and communication data, contract data, contact details, names, website access data and any other data generated via a website.

External hosting is carried out for the purpose of fulfilling contracts with our potential and existing customers (Art. 6 (1) (b) GDPR) and in the interest of ensuring secure, fast and efficient provision of our online offering by a professional provider (Art. 6 (1) (f) GDPR). If appropriate consent has been obtained, processing is carried out exclusively on the basis of Art. 6 (1) (a) GDPR and § 25 (1) TDDDG, insofar as the consent includes the storage of cookies or access to information on the user’s end device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent can be withdrawn at any time.

Our host(s) will only process your data to the extent necessary to fulfil its performance obligations and follow our instructions with regard to this data.

We use the following host(s):
netcup GmbH
Daimlerstraße 25
D-76185 Karlsruhe

Processing by a data processor

We have concluded a data processing agreement (DPA) covering the use of the above-mentioned service. This agreement is required by data protection law and ensures that the personal data of our website visitors is processed by this service exclusively in accordance with our instructions and in compliance with the GDPR.

3. General notes and information on obligations

Data protection

The operators of these pages take the protection of your personal data extremely seriously. We treat your personal data confidentially, and in accordance with the data protection provisions and this privacy policy.

Various items of personal data are collected when you use this website. Personal data is data by which you can be personally identified. This privacy policy explains what data we collect and what we use it for. It also explains how and for what purpose this is done.

Please note that the transmission of data on the internet (e.g. when communicating via e-mail) may be susceptible to security vulnerabilities. It is not possible to provide the data with full protection against access by third parties.

Notes on the data controller

The data controller with responsibility for data processing on this website is:

Carthago Group
Carthago Ring 1
88326 Aulendorf
Germany

Phone: +49 (0)7525 92000
E-mail: marketing@carthago.com

The data controller is the natural or legal person who determines the purposes for which and means by which personal data (e.g. names, e-mail addresses or similar) is processed, either alone or in conjunction with others.

Storage duration

Unless a more specific storage duration is stated in this privacy policy, your personal data will be retained by us until the purpose of data processing no longer applies. If you make a legitimate request for erasure or if you withdraw your consent to data processing, your personal data will be erased unless we have other legally permissible grounds for storing it (e.g. due to record retention periods required under tax or commercial law); in the case of the latter, it will be deleted when these grounds cease to exist.

General notes on the legal bases of data processing on this website

If you have consented to data processing, we will process your personal data on the basis of Art. 6 (1) (a) GDPR and, in cases where special categories of data according to Art. 9 (1) GDPR are being processed, in accordance with Art. 9 (2) (a) GDPR. If you have expressly consented to personal data being transferred to third countries, data will also be processed on the basis of Art. 49 (1) (a) GDPR. If you have given consent for cookies to be stored or information to be accessed on your end device (e.g. via device fingerprinting), data will additionally be processed on the basis of § 25 (1) TDDDG. Consent can be withdrawn at any time. If your data is required to fulfil a contract or to take steps prior to entering into a contract, we will process your data on the basis of Art. 6 (1) (b) GDPR. Furthermore, if your data is required in order to comply with a legal obligation, we will process it on the basis of Art. 6 (1) (c) GDPR. Moreover, the data may be processed on the basis of our legitimate interest according to Art. 6 (1) (f) GDPR. The following sections of this privacy policy provide information on the legal bases that are applicable in each individual case.

Data protection officer

We have appointed a data protection officer.

Christoph Boser

Phone: Phone: +49 7525 9200 3000
E-mail: datenschutz@carthago.com

Recipients of personal data

As part of our business activities, we collaborate with various external organisations. Sometimes, it is also necessary to transfer personal data to these external organisations. We only disclose personal data to external organisations if this is necessary for fulfilling a contract, if we are legally required to do so (e.g. disclosure of data to tax authorities), if we have a legitimate interest in doing so under Art. 6 (1) (f) GDPR or if the disclosure of the data is permitted by some other legal basis. Where processors are used, we will only disclose our customers’ personal data on the basis of a valid data processing agreement. In the case of joint processing, a joint processing agreement will be concluded.

Withdrawal of your consent to data processing

Many data processing operations are only possible with your express consent. You may withdraw any consent already granted at any time, with effect for the future. The withdrawal of consent will not affect the lawfulness of the data processing carried out prior its withdrawal.

The right to object to data collection in particular cases and to direct marketing (Art. 21 GDPR)

IF THE DATA IS BEING PROCESSED ON THE BASIS OF ART. 6 (1) (E) OR (F) GDPR, YOU HAVE THE RIGHT – AT ANY TIME – TO OBJECT TO THE PROCESSING OF YOUR PERSONAL DATA ON GROUNDS RELATING TO YOUR PARTICULAR SITUATION; THIS ALSO APPLIES TO ANY PROFILING BASED ON THESE PROVISIONS. FOR INFORMATION ABOUT THE RESPECTIVE LEGAL BASIS COVERING A PARTICULAR INSTANCE OF PROCESSING, PLEASE REFER TO THIS PRIVACY POLICY. IF YOU FILE AN OBJECTION, WE WILL NO LONGER PROCESS YOUR RELEVANT PERSONAL DATA UNLESS WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR THE PROCESSING THAT OVERRIDE YOUR INTERESTS, RIGHTS AND FREEDOMS, OR UNLESS THE PROCESSING IS NECESSARY TO ESTABLISH, EXERCISE OR DEFEND AGAINST LEGAL CLAIMS (OBJECTION ACCORDING TO ART. 21 (1) GDPR).

WHERE YOUR PERSONAL DATA IS PROCESSED FOR DIRECT MARKETING PURPOSES, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO PROCESSING OF YOUR PERSONAL DATA FOR SUCH MARKETING, WHICH INCLUDES PROFILING TO THE EXTENT THAT IT IS RELATED TO SUCH DIRECT MARKETING. IF YOU OBJECT, YOUR PERSONAL DATA WILL THEREAFTER NO LONGER BE USED FOR DIRECT MARKETING PURPOSES (OBJECTION ACCORDING TO ART. 21 (2) GDPR).

Right to lodge a complaint with the competent supervisory authority

In the event of infringements of the GDPR, the data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement. The right to lodge a complaint exists without prejudice to any other administrative or judicial remedy.

Right to data portability

In cases where we process data on the basis of your consent or automatically for the purpose of fulfilling a contract, you have the right to have this data sent to you or to a third party in a commonly used, machine-readable format. If you ask for the data to be transmitted directly to another controller, this will only take place if technically feasible.

Information, rectification and erasure

Within the scope of the applicable legal provisions, you have the right – at any time and free of charge – to obtain information about your stored personal data, its origin and recipients, and the purpose of data processing. You may also have the right to have this data rectified or erased. If you have any questions about this or other matters relating to personal data, please feel free to contact us at any time.

Right to restriction of processing

You have the right to request that processing of your personal data be restricted. If you have any questions about this, please feel free to contact us at any time. The right to restriction of processing applies in the following cases:

If you contest the accuracy of the personal data we are storing about you, we will usually need some time to check this. While the check is being carried out, you have the right to request that processing of your personal data be restricted.
If your personal data has been/is being processed unlawfully, you may request that processing be restricted instead of having the data erased.
If we no longer require your personal data but you need it in order to exercise, defend or establish legal claims, you have the right to request that the processing of your personal data be restricted instead of having it erased.
If you have lodged an objection in accordance with Art. 21 (1) GDPR, a balancing of your interests and ours must be carried out. Until it has been determined whose interests override those of the other party, you have the right to request that processing of your personal data be restricted.

If you have had the processing of your personal data restricted this data is – with the exception of storage – only allowed to be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.

SSL or TLS encryption

For security reasons and to protect the transmission of confidential content – such as orders or enquiries you send to us as the site operator – this site uses SSL or TLS encryption. You will know that the connection is encrypted if the address line of the browser changes from “http://” to “https://” and if there is a padlock symbol in your browser bar.

When SSL or TLS encryption is enabled, the data you transmit to us cannot be intercepted and read by third parties.

Objection to marketing e-mails

Our contact details are published on our website as part of our obligation to include a legal notice for visitors. We hereby object to the use of these contact details for the purpose of sending marketing and information materials that have not been expressly requested. The site operators expressly reserve the right to take legal action in the event of anyone sending unsolicited marketing materials, such as spam e-mails

4. Collection of data on this website

Cookies

Our website uses “cookies”. Cookies are small data packets that do not cause any harm to your end device. They are stored on your end device either temporarily for the duration of a session (session cookies) or permanently (permanent cookies). Session cookies are deleted automatically at the end of your visit. Permanent cookies remain on your end device until you delete them yourself or until they are deleted automatically by your web browser.

Cookies may originate from us (first-party cookies) or from third-party companies (third-party cookies). Third-party cookies enable specific services from third-party companies to be integrated into websites (e.g. cookies for managing payment services).

Cookies perform various functions. Many cookies are necessary from a technical perspective because certain website functions would not work without them (e.g. the shopping basket function or video playback). Other cookies may be used to analyse user behaviour or for advertising purposes.

Cookies that are necessary for performing the electronic communication process, providing certain functions you wish to use (e.g. the shopping basket function) or optimising the website (e.g. cookies for measuring audience reach) (essential cookies) are stored on the basis of Art. 6 (1) (f) GDPR, unless another legal basis is specified. The website operator has a legitimate interest in storing essential cookies so that its services can be provided free of technical faults and in an optimised manner. If consent to the storage of cookies and similar recognition technologies has been obtained, processing will take place solely on the basis of this consent (Art. 6 (1) (a) GDPR and § 25 (1) TDDDG); this consent can be withdrawn at any time.

You can configure your browser to notify you when cookies are set so that you can allow them on a case-by-case basis, to block cookies either in specific cases or entirely, and to enable the automatic deletion of cookies when the browser is closed. Disabling cookies may restrict the functionality of this website.

Details of which cookies and services are used on this website can be found in this privacy policy.

Server log files

The website provider automatically collects and stores information in server log files, which are automatically transmitted to us by your browser. This involves the following information:

Browser type and version
Operating system used
Referrer URL
Host name of computer requesting access
Time of server request
IP address

This data is not combined with other data sources.

This data is collected on the basis of Art. 6 (1) (f) GDPR. The website operator has a legitimate interest in ensuring that its website is displayed without technical faults and is optimised – this requires the collection of server log files.

Contact form

When you send us enquiries via the contact form, we store your details from the enquiry form, including the contact details you have provided there, for the purpose of processing the enquiry and in case any follow-up questions arise. We will not disclose this data without your consent.

This data is processed on the basis of Art. 6 (1) (b) GDPR, insofar as your enquiry relates to the fulfilment of a contract or is necessary to take steps prior to entering into a contract. In all other cases, processing is based on our legitimate interest in effectively handling the enquiries addressed to us (Art. 6 (1) (f) GDPR) or on your consent (Art. 6 (1) (a) GDPR), insofar as this has been obtained; consent can be withdrawn at any time.

We will retain the data you entered in the contact form until you ask us to erase it, withdraw your consent to its storage or the purpose for storing the data no longer applies (e.g. once your enquiry has been processed). Mandatory legal provisions – particularly retention periods – remain unaffected.

Enquiry via e-mail, phone or fax

When you contact us by e-mail, telephone or fax, your enquiry – including all resulting personal data (such as your name and the enquiry itself) – will be stored and processed by us for the purpose of handling your request. We will not disclose this data without your consent.

We will retain the data you provided when contacting us with an enquiry until you ask us to erase it, withdraw your consent to its storage or the purpose for storing the data no longer applies (e.g. once your request has been processed). Mandatory legal provisions – particularly legal retention periods – remain unaffected.

5. Third-party systems (vehicle configurator, referral to dealers, etc.)

We want to provide you with the best possible service on our website. For this reason, we offer you various functions that allow you to edit vehicle configurations, arrange personal consultations with us or our dealers, submit service requests or access other services. Below, we provide an overview of the personal data we process in this context and the third-party systems involved.

Depending on which function you select (e.g. consultation requests, vehicle configurations, service requests or rental enquiries), the following data, in particular, may be processed:

Contact details (e.g. name, address, e-mail address, telephone number)
Vehicle-specific data (e.g. vehicle model, configuration, vehicle type)
Identification data (e.g. ID card number in the case of certain procedures)
Other voluntarily disclosed information (e.g. personal preferences, collection and return days for rental vehicles, other matters or concerns)

The legal basis for processing is usually your consent in accordance with Art. 6 (1) (a) GDPR and also, depending on the nature of the enquiry, Art. 6 (1) (b) GDPR (steps prior to entering into a contract or necessary for performing a contract).

Please note:

If you request a consultation with one of our dealers and provide a postcode when contacting us, we will attempt to refer your enquiry to a dealer near you. The dealer is responsible for processing your data from the time of the referral. If, for example, the matter relates to a specific vehicle offer from the dealer or a service appointment, please contact the dealer directly with any queries or concerns.

The following sections contain further information about the third-party systems we use to provide the functions and/or services on our website:

HubSpot CRM

We use HubSpot CRM on this website. The provider is HubSpot Inc., 25 Street, Cambridge, MA 02141 USA (hereinafter HubSpot CRM).

HubSpot CRM allows us to manage current and potential customers, as well as customer contacts, among other things. With the help of HubSpot CRM, we can record, sort and analyse customer interactions via e-mail, social media or telephone across a variety of channels. The personal data collected in this way can be analysed and used for communication with the potential customer or for marketing activities (e.g. newsletter mailings). HubSpot CRM also allows us to record and analyse the user behaviour of our contacts on our website.

Our use of HubSpot CRM is based on Art. 6 (1) (f) GDPR. The website operator has a legitimate interest in the most efficient customer management and customer communication possible. If appropriate consent has been obtained, processing is carried out exclusively on the basis of Art. 6 (1) (a) GDPR and § 25 (1) TDDDG, insofar as the consent includes the storage of cookies or access to information on the user’s end device (e.g. device fingerprinting) within the meaning of the TDDDG. You can withdraw your consent at any time with effect for the future.

Further details can be found in the HubSpot privacy policy: https://legal.hubspot.com/de/privacy-policy.

The transfer of data to the USA is underpinned by the Standard Contractual Clauses of the EU Commission. Details can be found here: https://www.hubspot.de/data-privacy/privacy-shield.

The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the United States intended to ensure compliance with European data protection standards when data is processed in the USA. Every company that is certified according to the DPF undertakes to comply with these data protection standards. Further information is available from the provider via the following link: https://www.dataprivacyframework.gov/participant/5812.

Processing by a data processor

Caravana

We use the Caravana vehicle marketplace on this website. The provider is CARAVANA GmbH; Pferdemarkt 2; 19300 Grabow, Germany (hereinafter Caravana).

With the help of Caravana, our website provides a market for available vehicles offered by various dealers as part of campaigns. If you are interested in a vehicle, you have the option of contacting a dealer using our form to obtain further information, arrange a consultation, or get a quote for the vehicle. For this purpose, the information you provide in the form – including your data, vehicle model, title, first name, surname, street, postcode, town/city, country, telephone number, e-mail address and consent to the privacy policy – will be transmitted to the respective dealer offering the vehicle. The provider of the vehicle is in turn responsible for the processing of the data from the time the data is transmitted and will decide how further communication with you will take place in accordance with the contact details provided and in relation to your enquiry.

This collection, storage and transmission of data takes place on the basis of your voluntarily granted consent in accordance with Art. 6 (1) (a) in association with Art. 7 GDPR. You can withdraw your consent at any time with effect for the future by e-mailing marketing@carthago.com or sending a letter to Carthago Reisemobilbau GmbH, Carthago Ring 1, 88326 Aulendorf. You are also entitled to assert your rights against the dealer. To do so, please contact your selected dealer.

Further details can be found in the Caravana privacy policy:

https://www.caravana.de/datenschutz

DealerDesk

We use DealerDesk in our factory outlet, as well as to pass on your consultation requests to our dealers. The provider is dealerdesk GmbH, Röntgenstraße 22, 22335 Hamburg, Germany (hereinafter DealerDesk).

The data is stored and used by the respective dealer to process your request. The dealer is in turn responsible for the processing of the data from the time the data is transmitted and will decide how further communication with you will take place in accordance with the contact details provided and in relation to your enquiry.

With the help of Dealerdesk, sales enquiries can be recorded and automatically shared with the sales team in the factory outlet and at our dealers. Your data, vehicle model, first name, surname, street, house number, postcode, city, state, country, e-mail address, telephone number, lead source, time of data entry and consent to the privacy policy are recorded for this purpose.

Service enquiries are collected and automatically forwarded to the right contact person in the factory outlet, which enables efficient processing. A flexible call centre answers calls on behalf of the factory outlet and qualifies them in order to minimise sales losses and strengthen customer loyalty.

Internal communication is improved by Dealerdesk, as the system creates and distributes qualified service and sales processes.

Dealerdesk also provides seamless integration with third-party products via an open REST API, which facilitates the exchange of data between different systems. Documents such as invoices and quotes can be digitally prepared, signed and saved.

The platform also enables interaction with customers via various channels such as e-mail, telephone, SMS, WhatsApp or video chat.

With extensive analysis and comparison options for data on sales development and employee performance, Dealerdesk helps you to make well-founded business decisions. The system also manages all financial data in one place and automatically assigns it to the appropriate users, making it easier to manage leasing and financing offers.

This collection, storage and transmission of data takes place on the basis of your voluntarily granted consent in accordance with Art. 6 (1) (a) in association with Art. 7 GDPR. You can withdraw your consent at any time with future effect by e-mailing marketing@carthago.com or sending a letter to Carthago Reisemobilbau GmbH, Carthago Ring 1, 88326 Aulendorf, Germany.

Further details can be found in the DealerDesk privacy policy:

Data protection – Dealerdesk | CRM solution for car dealerships

Syscara

We use Syscara on this website, in our factory outlet, and when passing on your consultation requests to our dealers. The provider is Syscara, Lassahner Str. 73, 19300 Grabow, Germany (hereinafter Syscara).

Syscara provides CRM software. This software enables simple vehicle registration, automated generation of quotes and digital contracts.

With the help of Syscara, quotes and/or orders can be prepared. Your data, vehicle model, first name, surname, street, house number, postcode, city, state, country, e-mail address, telephone number, lead source, time of data entry, ID card number and copy, as well as your consent to the privacy policy are recorded for this purpose.

An integrated market value assessment facilitates realistic pricing. Syscara offers a module for managing the rental fleet that quickly prepares bookings, price groups and rental contracts. A clearly laid out calendar prevents double bookings and optimises vehicle utilisation. Seasonal rental prices and deposit rules can be customised.

With the help of Syscara, rental vehicles can be rented on our Malibu Rent website. Your data, vehicle model, first name, surname, street, house number, postcode, city, e-mail address, telephone number, pick-up day, return day, accompanying dog, and consent to the privacy policy will be used for this purpose.

For repair and maintenance orders, Syscara offers a module that enables the planning of workshop appointments, spare parts orders and service orders. Employees always have an up-to-date overview of outstanding orders and customers receive automatic notifications about the status of their vehicles.

This collection, storage and transmission of data takes place on the basis of your voluntarily granted consent in accordance with Art. 6 (1) (a) in association with Art. 7 GDPR. You can withdraw your consent at any time with future effect by e-mailing marketing@carthago.com or sending a letter to Carthago Reisemobilbau GmbH, Carthago Ring 1, 88326 Aulendorf, Germany.

Further details can be found in the Syscara privacy policy:

syscara.com/datenschutz.php

CAS genesisWorld and CAS Merlin CPQ

We use CAS genesisWorld and Merlin CPQ on this website. The provider is CAS Software AG, CAS-Weg 1 – 5, 76131 Karlsruhe, Germany (hereinafter CAS genesisWorld / Merlin CPQ).

CAS genesisWorld is a CRM software solution, while CAS Merlin CPQ is a product configurator. The software enables vehicle configurations to be generated and offers centralised data management, where all relevant information such as contact details, vehicle configurations, appointments, tasks, documents and orders are brought together in one place.

With the help of CAS Merlin CPQ, vehicle configurations on this website can be saved and sent by mail to potential customers. Your data, vehicle model, first name, surname, e-mail address, postcode and consent to the privacy policy will be used for this purpose.

The structured and chronological organisation of customer information in CAS genesisWorld ensures maximum transparency and an optimal overview. Sales staff can monitor all points of contact with current and prospective customers, which leads to accelerated sales processes. All relevant customer-related data is stored in the central CRM system CAS genesisWorld.

Our dealers use CAS Merlin CPQ and CAS genesisWorld to process customer enquiries and order vehicles from the Carthago Group.

This collection, storage and transmission of data takes place on the basis of your voluntarily granted consent in accordance with Art. 6 (1) (a) in association with Art. 7 GDPR. You can withdraw your consent at any time with future effect by e-mailing marketing@carthago.com or sending a letter to Carthago Reisemobilbau GmbH, Carthago Ring 1, 88326 Aulendorf, Germany.

Further details can be found in the CAS genesisWorld privacy policy:

Data protection – CAS Software AG

TefKat

We use TefKat on this website. The provider is tef-dokumentation GmbH, Angelestr. 56, 88214 Ravensburg, Germany (hereinafter TefKat).

Only the dealer has access to TefKat via: https://www.carthago.com/his/

TefKat is a software solution that has been specially developed for spare parts management and after-sales service. It enables quick and easy identification of spare parts, thereby preventing ordering errors. Product changes or periodic price updates are not insurmountable barriers. Additional information on the individual spare parts or components, such as mounting or assembly instructions, can be easily integrated. When ordering spare parts, the display of outstanding orders, the order history and the selection of shipping method are helpful aids. TefKat also serves as a digital reference work for the configuration of the products and offers various options for creating the spare parts catalogue.

With the help of TefKat, this website records data from dealers for warranty registration and processing. Your data, title, first name, surname, street, postcode, city, country, telephone number, e-mail address, body key number, number plate, vehicle type (private, commercial, rental), first registration, date of handover to customer, and consent to the privacy policy are used for this purpose.

This collection, storage and transmission of data takes place on the basis of your voluntarily granted consent in accordance with Art. 6 (1) (a) in association with Art. 7 GDPR. You can withdraw your consent at any time with future effect by e-mailing marketing@carthago.com or sending a letter to Carthago Reisemobilbau GmbH, Carthago Ring 1, 88326 Aulendorf, Germany.

Further details can be found in the DealerDesk privacy policy:

Datenschutz.pdf

6. Social media

Facebook

Certain elements of the Facebook social media network are integrated into this website. The provider of this service is Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland. However, according to Facebook, the collected data is also transferred to the USA and other third countries.

An overview of the Facebook social media elements can be found at: https://developers.facebook.com/docs/plugins/?locale=de_DE.

When active, the social media element establishes a direct connection between your end device and the Facebook server. This informs Facebook that you have visited this website using your IP address. By clicking the Facebook “Like” button while logged into your Facebook account, you can link the content of this website to your Facebook profile. This allows Facebook to associate your visit to this website with your user account. We would like to inform you that, as the provider of the website, we have no knowledge of what the transmitted data contains or how it is used by Facebook. For more information, please refer to the Facebook privacy policy at: https://de-de.facebook.com/privacy/explanation.

The use of this service is based on your consent in accordance with Art. 6 (1) (a) GDPR and § 25 (1) TDDDG. Consent can be withdrawn at any time.

In cases where the tool described here is used to collect personal data on our website and transmit it to Facebook, both we and Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, are jointly responsible for this data processing (Art. 26 GDPR). The joint responsibility is limited solely to the collection of the data and its transmission to Facebook. The joint responsibility does not extend to the processing carried out by Facebook following transmission. The obligations that we share jointly have been set out in a joint processing agreement. The text of the agreement can be found at: https://www.facebook.com/legal/controller_addendum. According to this agreement, we are responsible for providing data protection information when the Facebook tool is used and for ensuring its secure implementation on our website in compliance with data protection regulations. Facebook is responsible for the data security of Facebook products. You can contact Facebook directly to assert your rights as a data subject (e.g. information requests) in relation to the data processed by Facebook. If you contact us to assert your rights as a data subject, we are obliged to forward the details to Facebook. The transfer of data to the USA is underpinned by the Standard Contractual Clauses of the EU Commission. Details can be found here:

https://www.facebook.com/legal/EU_data_transfer_addendum

https://de-de.facebook.com/help/566994660333381 and

https://www.facebook.com/policy.php

Instagram

This website incorporates certain functions of the Instagram service. These functions are provided by Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland. When active, the social media element establishes a direct connection between your end device and the Instagram server. This provides Instagram with information about your visit to this website.

By clicking the Instagram button while logged into your Instagram account, you can link the content of this website to your Instagram profile. This allows Instagram to associate your visit to this website with your user account. We would like to inform you that, as the provider of the website, we have no knowledge of what the transmitted data contains or how it is used by Instagram.

The use of this service is based on your consent in accordance with Art. 6 (1) (a) GDPR and § 25 (1) TDDDG. Consent can be withdrawn at any time.

In cases where the tool described here is used to collect personal data on our website and transmit it to Facebook or Instagram, both we and Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, are jointly responsible for this data processing (Art. 26 GDPR). The joint responsibility is limited solely to the collection of the data and its transmission to Facebook or Instagram. The joint responsibility does not extend to the processing carried out by Facebook or Instagram following transmission.

The obligations that we share jointly have been set out in a joint processing agreement. The text of the agreement can be found at:

https://www.facebook.com/legal/controller_addendum. According to this agreement, we are responsible for providing data protection information when the Facebook or Instagram tool is used and for ensuring its secure implementation on our website in compliance with data protection regulations. Facebook is responsible for the data security of Facebook and Instagram products. You can contact Facebook directly to assert your rights as a data subject (e.g. information requests) in relation to the data processed by Facebook or Instagram. If you contact us to assert your rights as a data subject, we are obliged to forward the details to Facebook. The transfer of data to the USA is underpinned by the Standard Contractual Clauses of the EU Commission. Details can be found here:

https://www.facebook.com/legal/EU_data_transfer_addendum

https://privacycenter.instagram.com/policy/ and

https://de-de.facebook.com/help/566994660333381

For more information, please refer to the Instagram privacy policy:

https://privacycenter.instagram.com/policy/

https://www.dataprivacyframework.gov/participant/4452

7. Analytics tools and advertising

Google Tag Manager

We use Google Tag Manager. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Google Tag Manager is a tool that allows us to integrate tracking or statistical tools and other technologies into our website. Google Tag Manager itself does not create any user profiles, does not store cookies and does not carry out any independent analyses. Its sole function is to manage and deliver the tools integrated through it. However, Google Tag Manager does collect your IP address, which may also be transferred to Google’s parent company in the United States.

Google Tag Manager is used on the basis of Art. 6 (1) (f) GDPR. The website operator has a legitimate interest in quickly and easily integrating and managing various tools on its website. If appropriate consent has been obtained, processing is carried out exclusively on the basis of Art. 6 (1) (a) GDPR and § 25 (1) TDDDG, insofar as the consent includes the storage of cookies or access to information on the user’s end device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent can be withdrawn at any time.

etracker

This website uses the etracker analytics service. The provider is etracker GmbH, Erste Brunnenstraße 1, 20459 Hamburg, Germany.

etracker allows us to analyse the behaviour of our website visitors. To this end, etracker collects, among other things, your truncated IP address, geographical information (limited to city level), log files, and other information transmitted by your browser to our web server when you access the website. This allows us to measure website interactions such as time spent on the site, conversions (e.g. registrations, orders), scroll events, clicks and page views by the website visitor. These interactions are linked to the website visitor for the duration of the current day, allowing them to be recognised if they revisit the site. Once the day is over, visitors can no longer be recognised by the system.

No cookies will be stored in your browser and no information read from your end device’s memory without your consent. The cookieless use of this analytics tool is based on Art. 6 (1) (f) GDPR. The website operator has a legitimate interest in analysing user behaviour with a view to optimising both its web offering and its advertising. The rights and fundamental freedoms of the data subjects are safeguarded. With etracker analytics, the IP address is anonymised at the earliest possible stage, and visitor recognition is limited to the duration of the current day.

If appropriate consent has been obtained, processing is carried out exclusively on the basis of Art. 6 (1) (a) GDPR and § 25 (1) TDDDG. Consent can be withdrawn at any time.

Further information on data protection with etracker is available here.

Processing by a data processor

Google Ads

The website operator uses Google Ads. Google Ads is an online advertising platform of Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Ads enables us to display advertisements in the Google search engine or on third-party websites when users enter specific search terms on Google (keyword targeting). Additionally, targeted advertisements can be displayed based on user data (e.g. location data and interests) held by Google (audience targeting). As the website operator, we can quantitatively analyse this data, for instance, by examining which search terms triggered the display of our advertisements and how many clicks resulted from these ads.

The use of this service is based on your consent in accordance with Art. 6 (1) (a) GDPR and § 25 (1) TDDDG. Consent can be withdrawn at any time.

The transfer of data to the USA is underpinned by the Standard Contractual Clauses of the EU Commission. Details can be found here: https://policies.google.com/privacy/frameworks and https://business.safety.google/controllerterms/.

Meta pixel (formerly Facebook pixel)

This website uses the Facebook/Meta pixel to measure conversions based on visitor actions. The provider of this service is Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. However, according to Facebook, the collected data is also transferred to the USA and other third countries.

This means that the behaviour of site visitors can be tracked after they click on a Facebook advertisement that redirects them to the provider’s website. This enables the effectiveness of Facebook advertisements to be analysed for statistical and market research purposes, and future advertising campaigns to be optimised.

The collected data remains anonymous to us as the operator of this website, and we cannot draw any conclusions about the identity of users. However, the data is stored and processed by Facebook, which means it can be linked to the respective user profile, and Facebook may use it for its own advertising purposes in accordance with the Facebook data policy (https://de-de.facebook.com/about/privacy/). As a result, Facebook may place advertisements on Facebook pages and outside of Facebook. As the website operator, we have no control over this use of the data.

The use of this service is based on your consent in accordance with Art. 6 (1) (a) GDPR and § 25 (1) TDDDG. Consent can be withdrawn at any time.

We use the advanced matching function within the Meta pixel.

Advanced matching is a feature that enables us to transmit to Meta (Facebook) various types of data that we have collected via our website about our customers and prospects (such as place of residence, federal state, postcode, hashed e-mail addresses, names, gender, date of birth or telephone number). By enabling this function, we can tailor our Facebook advertising campaigns even more precisely to people who are interested in our offerings. In addition, advanced matching improves attribution of website conversions and expands custom audiences.

The transfer of data to the USA is underpinned by the Standard Contractual Clauses of the EU Commission. Details can be found here: https://www.facebook.com/legal/EU_data_transfer_addendum and https://de-de.facebook.com/help/566994660333381.

Further information about the protection of your privacy can be found in the Facebook privacy notices: https://de-de.facebook.com/about/privacy/.

You can also disable the “Custom Audiences” remarketing function in the ad preferences settings at https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen. To do this, you must be logged into Facebook.

If you do not have a Facebook account, you can disable online behavioural advertising from Facebook on the website of the European Interactive Digital Advertising Alliance: http://www.youronlinechoices.com/de/praferenzmanagement/.

8. Newsletter

Newsletter data

If you wish to subscribe to the newsletter offered on the website, we will need an e-mail address from you, along with information allowing us to check that you are the owner of the specified e-mail address and that you agree to receipt of the newsletter. No further data will be collected or, if it is, only on a voluntary basis. For the purpose of managing the newsletter, we use a newsletter service provider, which is described below.

HubSpot CRM

The provider is HubSpot Inc., 25 Street, Cambridge, MA 02141 USA (hereinafter HubSpot CRM). HubSpot CRM is a service that can be used to organise and analyse newsletter distribution, among other things.

Our newsletters that are sent using HubSpot CRM enable us to analyse the behaviour of newsletter recipients. Among other things, it is possible to analyse how many recipients have opened the newsletter message and how often specific links in the newsletter have been clicked. With the aid of conversion tracking, it is also possible to analyse whether a predefined action (e.g. the purchase of a product on this website) was performed after clicking the link in the newsletter. Further details can be found in the HubSpot CRM privacy policy: https://legal.hubspot.com/de/privacy-policy.

The transfer of data to the USA is underpinned by the Standard Contractual Clauses of the EU Commission. Details can be found here: https://www.hubspot.de/data-privacy/privacy-shield.

The data is processed on the basis of your consent (Art. 6 (1) (a) GDPR). You can withdraw this consent at any time with effect for the future by unsubscribing from the newsletter. The withdrawal of consent will not affect the lawfulness of the data processing operations already carried out.

If you do not want HubSpot CRM to analyse your behaviour, you must unsubscribe from the newsletter. We provide a corresponding link in every newsletter message for this purpose.

The data you provide to us for the purpose of subscribing to the newsletter will be stored by us or by the newsletter service provider until you unsubscribe from the newsletter, whereupon it will be deleted from the newsletter distribution list. This does not affect data that is being stored by us for other purposes.

Once you have been removed from the newsletter distribution list, we or the newsletter service provider may store your e-mail address in a blacklist if this is necessary to prevent future mailings. The data from the blacklist will be used solely for this purpose and will not be combined with other data. This serves our interest in ensuring compliance with the legal requirements for sending newsletters (legitimate interest within the meaning of Art. 6 (1) (f) GDPR). Data is stored in the blacklist indefinitely. You may object to the storage of your data if your interests override our legitimate interest.

Processing by a data processor

9. Plug-ins and tools

YouTube with privacy-enhanced mode

This website embeds videos from YouTube. The operator of YouTube is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

If you visit a page on our website that has YouTube embedded within it, a connection is established to YouTube’s servers. This tells the YouTube server which of our pages you have visited. If you are logged into your YouTube account, you will be allowing YouTube to link your browsing behaviour directly to your personal profile. You can prevent this by logging out of your YouTube account first.

We use YouTube in privacy-enhanced mode. According to YouTube, videos that are played in privacy-enhanced mode are not used to personalise the YouTube browsing experience. Advertisements shown in privacy-enhanced mode are not personalised either. No cookies are set in privacy-enhanced mode. However, local storage elements are stored in the user’s browser instead. Like cookies, these contain personal data and can be used to recognise users. For details of privacy-enhanced mode, see: https://support.google.com/youtube/answer/171780.

When a YouTube video is activated, it may trigger further data processing operations over which we have no control.

YouTube is used in the interest of presenting our online offerings in an appealing way. This constitutes a legitimate interest within the meaning of Art. 6 (1) (f) GDPR. If appropriate consent has been obtained, processing is carried out exclusively on the basis of Art. 6 (1) (a) GDPR and § 25 (1) TDDDG, insofar as the consent includes the storage of cookies or access to information on the user’s end device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent can be withdrawn at any time.

Further information on data protection at YouTube can be found in the company’s privacy policy at: https://policies.google.com/privacy?hl=de.

Google Fonts (local hosting)

To ensure that fonts are displayed consistently, this site uses what are known as Google Fonts, provided by Google. Google Fonts are installed locally. No connection is established to Google servers.

Further information on Google Fonts can be found at https://developers.google.com/fonts/faq and in the Google privacy policy: https://policies.google.com/privacy?hl=de.

Google Maps

This page uses the Google Maps service. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland. This service allows us to integrate cartographic material into our website.

To enable use of the Google Maps functions, it is necessary to store your IP address. This information is usually transmitted to a Google server in the USA and stored there. The provider of this website has no control over this data transmission process. When Google Maps is enabled, Google can use Google Fonts to ensure that the fonts are displayed consistently. When you access Google Maps, your browser loads the necessary web fonts into its cache to display texts and fonts correctly.

Google Maps is used in the interest of presenting our online offerings in an appealing way and making it easy to find the locations listed on the website. This constitutes a legitimate interest within the meaning of Art. 6 (1) (f) GDPR. If appropriate consent has been obtained, processing is carried out exclusively on the basis of Art. 6 (1) (a) GDPR and § 25 (1) TDDDG, insofar as the consent includes the storage of cookies or access to information on the user’s end device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent can be withdrawn at any time.

The transfer of data to the USA is underpinned by the Standard Contractual Clauses of the EU Commission. Details can be found here: https://privacy.google.com/businesses/gdprcontrollerterms/ and https://privacy.google.com/businesses/gdprcontrollerterms/sccs/.

More information on the handling of user data can be found in the Google privacy policy: https://policies.google.com/privacy?hl=de.

10. Prize draws

The following applies additionally to prize draws:

You can enter our prize draws, subject to compliance with the terms and conditions of entry. The benefits include: being able to enter a prize draw and getting notified if you win.
We process the following data of users who register for one of our prize draws:

Source
Date and time of request (registration and final confirmation)
Answer to prize draw question
Title, first name, surname
E-mail address
Confirmation of entry
Data privacy confirmation

Once you have completed the prize draw details and confirmed both the terms and conditions of entry and the privacy notice, you will be entered into the prize draw for a chance to win.
The data will only be used in the context of the prize draw and will be automatically erased no later than 90 days after the conclusion of the draw.

If you win, the Carthago Group will contact you by e-mail. Please check your spam folder on a regular basis.
You alone are responsible for ensuring the accuracy of the e-mail address and contact details provided during registration. The organiser assumes no liability in the event of it not being possible to deliver the winner’s notification or to award the prize due to an incorrect e-mail address.
The process of entering the prize draw establishes a specific legal relationship (Art. 6 (1) (b) GDPR). In addition, data processing may be based on a balancing of interests (Art. 6 (1) (f) GDPR).
The purpose of the data processing is to enable you to enter the prize draw and to improve overall functionality. In this regard, please also read our terms and conditions of entry.
Your data will continue to be processed for up to 90 days after the conclusion of the prize draw or until it becomes apparent to us that one of the other grounds for erasure under Art. 17 (1) GDPR applies.
You can request that processing be terminated at any time with effect for the future.

Google Tag Manager

We use the Google Tag Manager. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

The Google Tag Manager is a tool that allows us to integrate tracking or statistical tools and other technologies on our website. The Google Tag Manager itself does not create any user profiles, does not store cookies, and does not carry out any independent analyses. It only manages and runs the tools integrated via it. However, the Google Tag Manager does collect your IP address, which may also be transferred to Google’s parent company in the United States.

The Google Tag Manager is used on the basis of Art. 6(1)(f) GDPR. The website operator has a legitimate interest in the quick and uncomplicated integration and administration of various tools on his website. If appropriate consent has been obtained, the processing is carried out exclusively on the basis of Art. 6(1)(a) GDPR and § 25 (1) TTDSG, insofar the consent includes the storage of cookies or the access to information in the user’s end device (e.g., device fingerprinting) within the meaning of the TTDSG. This consent can be revoked at any time.

The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the US, which is intended to ensure compliance with European data protection standards for data processing in the US. Every company certified under the DPF is obliged to comply with these data protection standards. For more information, please contact the provider under the following link: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt000000001L5AAI&status=Active

11. Marketing purposes

Data subjects may receive marketing information from us, where they have given their consent for such purposes.

We process the following data of data subjects:

Source
Date and time of request (registration and final confirmation)
Title, first name, surname
E-mail address
Data privacy confirmation
Consent to being contacted for marketing purposes

Once the data subject has consented to the use of their contact details for marketing purposes and has confirmed the privacy notice, their details will be added to the database for marketing purposes.

You alone are responsible for ensuring the accuracy of the e-mail address and contact details provided during registration.

Contract data will only be disclosed to third parties if it is necessary for the fulfilment of the contract (in accordance with Art. 6 (1) (b) GDPR), if such disclosure serves an overriding interest in effective performance (under Art. 6 (1) (f) GDPR), or if consent has been provided (under Art. 6 (1) (a) GDPR) or some other legal authorisation applies. The data will be stored by us in the HubSpot cloud application and undergo further processing there; the required contracts with the manufacturer have been concluded.

The data will be used for marketing purposes. This includes, for example, increasing brand awareness, acquiring and retaining customers, increasing sales, promoting products and personalised advertising.

The marketing activities that we carry out with HubSpot enable us to analyse the behaviour of recipients. Among other things, it is possible to analyse how many recipients have opened/clicked the marketing message and how often specific links/CTAs have been clicked. With the aid of tracking, it is also possible to analyse whether a predefined action (e.g. the purchase of a product on this website) was performed after clicking the CTA/link.

The data is processed on the basis of your consent (Art. 6 (1) (a) GDPR). You can withdraw this consent at any time with effect for the future by opting out of marketing communications. The withdrawal of consent will not affect the lawfulness of the data processing operations already carried out.

If you do not want HubSpot to analyse your behaviour, you must opt out of marketing communications. Where the marketing communication is sent via e-mail, we provide a corresponding link in every message for this purpose.

The data you provide to us for the purpose of subscribing to marketing communications will be stored by us or in HubSpot until you opt out of marketing communications, whereupon it will be deleted from the distribution list. This does not affect data that is being stored by us for other purposes.

Once you have been removed from the marketing distribution list, we or HubSpot may store your e-mail address in a blacklist if this is necessary to prevent future mailings. The data from the blacklist will be used solely for this purpose and will not be combined with other data. This serves our interest in ensuring compliance with the legal requirements for sending marketing communications (legitimate interest within the meaning of Art. 6 (1) (f) GDPR). Data is stored in the blacklist indefinitely. You may object to the storage of your data if your interests override our legitimate interest.

You can also request the deletion of your data at any time by contacting our Data Protection Officer.

12. Existence of automated decision-making

As a responsible company, we do not carry out any automated decision-making or profiling. The privacy policy generator of eRecht24 GmbH & Co. KG was used to create this privacy policy in cooperation with the data protection lawyer Christian Solmecke.

Base vehicle	Fiat Ducato, Mercedes-Benz Sprinter
Length	6.67 - 7.61 m
Tech. permissible laden weight	3.5 - 4.5 t

Base vehicle	Mercedes-Benz Sprinter
Length	7.20 - 7.48 m
Tech. permissible laden weight	3.5 - 4.5 t

Base vehicle	Fiat Ducato, Mercedes-Benz Sprinter
Length	7.39 - 8.78 m
Tech. permissible laden weight	4.2 - 5.5 t

Base vehicle	Fiat Ducato, Mercedes-Benz Sprinter
Length	7.89 - 8.99 m
Tech. permissible laden weight	4.5 - 5.5 t

Privacy policy of the Carthago Group (Carthago Reisemobilbau GmbH, Malibu GmbH & Co. KG and Carthago d.o.o.)

1. Data protection at a glance

General notes

Collection of data on this website

Who is responsible for the collection of data on this website?

How do we collect your data?

What do we use your data for?

What rights do you have in relation to your data?

Analytics tools and third-party tools

2. Hosting

External hosting

Processing by a data processor

3. General notes and information on obligations

Data protection

Notes on the data controller

Storage duration

General notes on the legal bases of data processing on this website

Data protection officer

Recipients of personal data

Withdrawal of your consent to data processing

The right to object to data collection in particular cases and to direct marketing (Art. 21 GDPR)

Right to lodge a complaint with the competent supervisory authority

Right to data portability

Information, rectification and erasure

Right to restriction of processing

SSL or TLS encryption

Objection to marketing e-mails

4. Collection of data on this website

Cookies

Server log files

Contact form

Enquiry via e-mail, phone or fax

5. Third-party systems (vehicle configurator, referral to dealers, etc.)

HubSpot CRM

Processing by a data processor

Caravana

DealerDesk

Syscara

CAS genesisWorld and CAS Merlin CPQ

TefKat

6. Social media

Facebook

Instagram

7. Analytics tools and advertising

Google Tag Manager

etracker

Processing by a data processor

Google Ads

Meta pixel (formerly Facebook pixel)

8. Newsletter

Newsletter data

HubSpot CRM

Processing by a data processor

9. Plug-ins and tools

YouTube with privacy-enhanced mode

Google Fonts (local hosting)

Google Maps

10. Prize draws

Google Tag Manager

11. Marketing purposes

12. Existence of automated decision-making

13. General information obligations according to Art. 13

14. Data privacy regulations for the whistleblower system