Privacy Policy

§ 1 Controllers and Contact

The offerings presented on this website and the associated data processing activities are operated by two legally independent companies based at Gut Stockseehof. Both companies are joint controllers within the meaning of Art. 26 GDPR for the processing of personal data taking place on this website and the related services:

Gutsverwaltung Stockseehof, Dr. Georg F. Baur
Stockseehof 2
24326 Stocksee, Germany
Phone: +49 4526 8339
Fax: +49 4526 30 97 15
Email: [email protected]
Owner: Dr. Georg F. Baur
VAT identification number: DE 118 180 161

Park & Garden Organisations GbR
Stockseehof 2
24326 Stocksee, Germany
Phone: +49 4526 30 97 16
Email: [email protected]
Authorised representative partner: Dr. Georg F. Baur
VAT identification number: DE 207 939 963

Allocation of Responsibilities

The two controllers have entered into an agreement under Art. 26 GDPR with the following allocation of responsibilities:

Area	Responsible
Operation and content of the website www.stockseehof.de	Gutsverwaltung Stockseehof
Operation of the AI assistant "Clara" (phone, WhatsApp, email, chat)	Gutsverwaltung Stockseehof
Planning and organisation of events (Park & Garden Country Fair, Park & Garden – The Field Days, Stockseehof Christmas Market)	Park & Garden Organisations GbR
Selection and contractual engagement of exhibitors, invitations, invoicing	Park & Garden Organisations GbR

The essence of this agreement may be requested at [email protected] (Art. 26(2) sentence 2 GDPR).

Single Point of Contact for Data Subjects

You may exercise your rights under Articles 15 to 22 GDPR vis-à-vis either of the two controllers (Art. 26(3) GDPR). We have designated the following single point of contact:

Gutsverwaltung Stockseehof, Dr. Georg F. Baur
Stockseehof 2, 24326 Stocksee, Germany
Email: [email protected]
Phone: +49 4526 8339

Requests falling within the responsibility of Park & Garden Organisations GbR are forwarded internally without delay.

Data Protection Officer

A data protection officer is not legally required for either company (cf. Section 38 of the German Federal Data Protection Act, BDSG). For data protection enquiries, please contact the single point of contact named above.

§ 2 Your Rights as a Data Subject

You have the following rights vis-à-vis us with regard to the personal data concerning you:

Right of access (Art. 15 GDPR) — You may request information about which data we process about you.
Right to rectification (Art. 16 GDPR) — You may request that we correct inaccurate or incomplete data.
Right to erasure (Art. 17 GDPR) — Under certain conditions, you may request the deletion of your data ("right to be forgotten").
Right to restriction of processing (Art. 18 GDPR) — You may request that we restrict the processing of your data.
Right to data portability (Art. 20 GDPR) — You may request that we provide your data in a commonly used, machine-readable format or transfer it to a recipient designated by you.
Right to object (Art. 21 GDPR) — You may object to the processing of your data insofar as it is based on a balancing of interests under Art. 6(1)(f) GDPR.
Withdrawal of consent (Art. 7(3) GDPR) — If you have given us your consent, you may withdraw it at any time with effect for the future. The lawfulness of processing carried out before withdrawal remains unaffected.

To exercise these rights, an informal message to [email protected] is sufficient. We endeavour to respond to enquiries within 14 days; the statutory maximum is one month (Art. 12(3) GDPR).

Right to Lodge a Complaint with a Supervisory Authority

Without prejudice to other remedies, you have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). The competent authority for us is:

Independent Data Protection Centre Schleswig-Holstein (ULD)
Holstenstraße 98
24103 Kiel, Germany
Phone: +49 431 988-1200
Email: [email protected]
Website: https://www.datenschutzzentrum.de

§ 3 General Information on Data Processing on This Website

3.1 Server Log Files

When you access this website, your browser automatically transmits information to our server or our content delivery network, which is processed in so-called log files. The following data is recorded:

IP address of the accessing device
date and time of access
name and URL of the file retrieved
website from which the access was made (referrer URL)
browser and operating system used

Purpose: Provision of the website, ensuring system security and stability, defence against abusive access.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the secure and reliable operation of the website).

Storage period: Log data is deleted or anonymised after 30 days at the latest.

3.2 Cookies — Overview

This website uses cookies and comparable technologies. Cookies are small text files that are stored on your device.

We distinguish between:

Strictly necessary cookies — required for the operation of the website (e.g. security cookies of our CDN). Legal basis: Section 25(2) no. 2 of the German Digital Services Data Protection Act (TDDDG) in conjunction with Art. 6(1)(f) GDPR.
Cookies and integrations requiring consent — e.g. social media content, external videos, the AI assistant "Clara". These are only set after you have given your consent via our consent banner. Legal basis: Section 25(1) TDDDG, Art. 6(1)(a) GDPR.

A tabular overview of all cookies used can be found in § 9 Cookies in Detail.

You can adjust or withdraw your consent at any time via the cookie banner at the bottom of the page.

3.3 Data Transfers to Third Countries (in particular the USA)

At several points in this policy, we name processors based in the United States (e.g. Cloudflare, Anthropic, OpenAI). Where personal data is transferred to these providers, we base the transfer on the following complementary grounds:

EU Standard Contractual Clauses (Art. 46(2)(c) GDPR) as the primary contractual safeguard. We have concluded the current EU Standard Contractual Clauses (Module 2 or 3) with all US providers that process personal data and — where necessary — carried out a Transfer Impact Assessment (TIA) within the meaning of the CJEU's Schrems II judgment.
EU-US Data Privacy Framework (Art. 45 GDPR) as a complementary basis, insofar as the respective provider is self-certified under Implementing Decision (EU) 2023/1795.

Should the adequacy decision for the USA subsequently be declared invalid again, the Standard Contractual Clauses will remain in place as the legal basis. A complete list of the US providers used, including their certification status, is available on request ([email protected]).

Despite these safeguards, we cannot rule out that US authorities may demand access to data under Section 702 FISA or Executive Order 12333 under certain conditions. We continuously monitor legal developments and adjust our choice of providers if necessary.

§ 4 Hosting and Technical Infrastructure

4.1 Web Hosting at Elementor Cloud

Our website is hosted by Elementor Ltd. (Elementor Cloud).

Provider: Elementor Ltd., 14 Hata'as St., Ramat Gan 5251247, Israel
Purpose: Provision of the website, storage of page content, securing the infrastructure
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in a stable, performant and secure web presence)
Data transfer: According to Elementor's privacy policy, personal data may be processed at various operating locations, in particular in Israel, the EU and the USA. For Israel, an adequacy decision of the European Commission is in place (Art. 45 GDPR); data transfers to the USA take place on the basis of the EU-US Data Privacy Framework and supplementary EU Standard Contractual Clauses (Art. 46 GDPR).
Data processing: A data processing agreement under Art. 28 GDPR is in place (Elementor Data Processing Agreement).

Details: https://elementor.com/about/privacy/

4.2 Content Delivery Network and Security: Cloudflare

We use the content delivery network and security services of Cloudflare, Inc. to reduce loading times and protect the website from attacks (e.g. DDoS, bot traffic).

Provider: Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA
Purpose: Delivery of static content, protection against malicious traffic, bot detection
Data processed: IP address, technical metadata of the access, cookies __cf_bm and _cfuvid
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the security and availability of the website)
Data transfer to the USA: Cloudflare is certified under the EU-US Data Privacy Framework, ensuring an adequate level of data protection (Art. 45 GDPR in conjunction with Implementing Decision (EU) 2023/1795).
Data processing: An agreement under Art. 28 GDPR is in place; additionally, EU Standard Contractual Clauses apply.

Details: https://www.cloudflare.com/privacypolicy/

4.3 WordPress and Plugins Used

Our website is based on the WordPress content management system and uses, among others, the following extensions:

Elementor / Elementor Pro — page editor (Elementor Ltd., see § 4.1)
WP Recipe Maker — display of recipe content (local processing, no data transfer to third parties)
Real Cookie Banner — management of cookie consent (see § 4.4)

Processing in connection with website operation takes place on the basis of Art. 6(1)(f) GDPR.

4.4 Cookie Consent Management with "Real Cookie Banner"

To obtain, manage and document your consent to non-essential cookies and comparable technologies in compliance with the law, we use the WordPress plugin "Real Cookie Banner" by devowl.io GmbH, August-Hagen-Allee 11, 42897 Remscheid, Germany.

How it works: The plugin runs entirely on our own WordPress infrastructure (Elementor Cloud, see § 4.1). Your personal data is not transferred to devowl.io GmbH or other third parties during regular operation. A connection to devowl.io's servers exists only for the provision of plugin updates and service templates; no visitor data is transmitted in this process.

Data processed regarding your consent:

date and time of consent
content of the consent (which service groups you have accepted)
browser information (user agent) for technical assignment
an anonymous consent key for re-identification of your choice

We do not store your IP address, as we have explicitly disabled this option in the plugin settings.

Purpose: Fulfilment of our obligation to provide proof under Art. 7(1) GDPR; compliance with the ePrivacy Directive and Section 25 TDDDG.

Legal basis: Art. 6(1)(c) GDPR (legal obligation to keep proof) in conjunction with Art. 6(1)(f) GDPR (legitimate interest in audit-proof documentation of consent).

Storage period: Your documented consent is automatically deleted after 36 months. The validity of the consent itself (cookie lifetime) is 365 days; thereafter, you will be asked for consent again.

Withdrawal: You can withdraw or adjust your consent at any time via the cookie banner icon at the bottom of the screen.

Details on the plugin manufacturer: https://devowl.io/de/datenschutz/

§ 5 Social Media Embeddings and External Links

5.1 Instagram and Facebook Feed (Smash Balloon)

On our homepage we display public posts from our Instagram and Facebook profiles. For this we use the WordPress plugins Smash Balloon Instagram Feed and Custom Facebook Feed in local caching mode.

How it works: Our server retrieves public posts at regular intervals via Meta's official application programming interfaces (API) and caches texts and images on our own infrastructure. When you visit our website, the content is delivered exclusively from our server; no direct connection from your browser to Meta takes place. No Meta cookies are set and no personal data is transferred to Meta.

Provider of the source content: Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland (for users in the EEA); parent company: Meta Platforms, Inc., USA
Purpose: Display of current social media content on our website
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in a lively presentation of our public activities without burdening your data with third-party providers)
Data processed: exclusively the post content we have published ourselves on Instagram/Facebook

If you actively click on an embedded post and are thereby redirected to the Instagram or Facebook platform, Meta's privacy provisions apply.

Details: https://www.facebook.com/privacy/policy/ · https://privacycenter.instagram.com/policy

5.2 Links to Social Networks

In the footer and at individual points on our website, we link to our profiles on:

Instagram (Meta Platforms Ireland Ltd.)
Facebook (Meta Platforms Ireland Ltd.)
Pinterest (Pinterest Europe Ltd.)

These are pure links — no embeddings. Data is only transferred to the respective provider when you click the link and thereby visit the linked platform. The data processing on the linked platforms is governed by their respective privacy provisions.

5.3 WhatsApp Contact

We offer the option to contact us via WhatsApp through a link ("Send WhatsApp message" / phone number +49 152 52334381). When you click the link, you are redirected to WhatsApp.

Provider: WhatsApp Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland (Meta group)
Purpose: User-initiated contact
Legal basis: Art. 6(1)(b) GDPR (initiation/performance of pre-contractual communication) or Art. 6(1)(f) GDPR

Details on the processing of your message by our AI assistant Clara can be found in § 6.2 Clara via WhatsApp.

§ 6 AI-Supported Communication with "Clara"

6.1 General Information about Clara

"Clara" is an AI assistant operated by Gut Stockseehof which receives and answers visitor enquiries. Clara provides information on opening hours, events, directions, accommodations, our products and accepts exhibitor enquiries. More complex requests are forwarded to our office team.

Operator and server location: Clara is operated by Gutsverwaltung Stockseehof on a dedicated server in a data centre of Hetzner Online GmbH, Gunzenhausen/Nuremberg, Germany. The central database with conversations and contact data thus remains within the EU.

No model training: We have contractual agreements in place with all AI service providers used that exclude the use of your messages for training AI models.

No automated decisions: Clara does not make any automated individual decisions within the meaning of Art. 22 GDPR. Contracts, price commitments or legally binding declarations are made exclusively by employees of Gut Stockseehof.

Transparency obligation under Art. 50 AI Act: You are communicating with an AI system. In every channel, we actively inform you at the beginning of the conversation that you are speaking or writing with an AI assistant (Art. 50(1) of Regulation (EU) 2024/1689 on artificial intelligence). You may at any time request to be forwarded to a human employee.

Legal basis for processing with Clara: Art. 6(1)(b) GDPR (handling pre-contractual enquiries, e.g. exhibitor applications) or Art. 6(1)(f) GDPR (legitimate interest in a timely and qualified response to visitor enquiries).

Processors used:

Service provider	Purpose	Location / third-country transfer
Anthropic PBC, San Francisco, USA	Language model (Claude) for composing responses	USA — EU-US Data Privacy Framework + EU Standard Contractual Clauses
OpenAI OpCo, LLC, San Francisco, USA	Transcription of voice messages (Whisper)	USA — EU-US Data Privacy Framework + EU Standard Contractual Clauses
Hetzner Online GmbH, Gunzenhausen	Hosting of the Clara infrastructure	Germany (EU)

Data processing agreements under Art. 28 GDPR are in place with all processors.

6.2 Clara via WhatsApp

You can reach Clara at any time via the WhatsApp number +49 152 52334381. Messages sent to this number are received and answered by Clara; more complex requests are forwarded to our office team.

Data processed:

your WhatsApp number (as contact identifier)
text and voice messages and submitted images
for voice messages: transcripts (Whisper) and optionally archived audio data
timestamps of the messages

Additional service providers (in addition to § 6.1):

Service provider	Purpose	Location
WhatsApp Ireland Limited (Meta group)	Operation of the WhatsApp infrastructure and message delivery	Ireland; parent group in the USA (EU-US Data Privacy Framework)

Legal basis: Art. 6(1)(b) GDPR (pre-contractual communication) or Art. 6(1)(f) GDPR.

First contact notice: When you first exchange messages, Clara automatically informs you of this privacy policy and that you are writing with an AI assistant.

Email summary: After a conversation ends, Clara creates a summary of your enquiry that is forwarded to our office team (§ 6.4) so that your request can be processed manually if necessary.

6.3 Storage Period and Automated Deletion

We store data collected via Clara only for as long as it is necessary to answer your enquiry and to deal with reasonable follow-up questions:

Data category	Retention period
Audio recordings (voice messages)	30 days
Conversation messages and transcripts	90 days from the last message
Contact data (phone number, name)	90 days from the last contact

Deletion is performed automatically every day at 03:00 by a cron process on our server.

Immediate deletion on request: You may send Clara the command "Delete data" via WhatsApp. Clara confirms the execution and immediately removes your contact data and all associated conversations from our database. Documents subject to legal retention obligations (e.g. invoices) are exempt.

6.4 Forwarding to Our Office Team (Escalation)

If Clara cannot fully answer your enquiry or the matter is pre-contractual (e.g. an exhibitor application), Clara forwards a summary of your enquiry by email to the responsible employees. Access to these summaries is restricted to internally authorised persons only (currently a maximum of five employees of Park & Garden Organisations GbR).

Legal basis: Art. 6(1)(b) GDPR or Art. 6(1)(f) GDPR.

§ 7 Enquiries and Applications

7.1 Contact Enquiries by Email and Phone

If you contact us via our contact details (phone, email, WhatsApp), we store your information in order to process your enquiry. In addition to the main phone numbers listed in § 1, during the harvest season we operate a Harvest Hotline (+49 4526 1780) with current information about our fruit harvest. You can also leave messages on this number, which we will then forward to the responsible team.

Data processed: name (if provided), email address or phone number, content of your enquiry, timestamp.

Purpose: Answering your enquiry and any follow-up communication.

Legal basis: Art. 6(1)(b) GDPR (pre-contractual communication) or Art. 6(1)(f) GDPR (legitimate interest in a proper response).

Storage period: Six months after final processing, provided no contractual relationship arises. If a contract results from the enquiry, statutory commercial and tax retention periods apply (up to 10 years, Section 257 of the German Commercial Code (HGB), Section 147 of the German Fiscal Code (AO)).

If communication takes place via Clara, the shorter deletion periods of § 6.3 apply additionally.

7.2 Exhibitor Applications

For our events (Park & Garden Country Fair, Park & Garden – The Field Days, Stockseehof Christmas Market), we provide information pages on our website for applying as an exhibitor. Applications are currently submitted by email to the address indicated in each case.

Data processed: company name, contact details of the contact person, description of the product range/concept, product images, where applicable details on stand size and previous experience, and other documents you submit.

Purpose: Reviewing and processing your application and — in the event of acceptance — preparing and carrying out the contractual participation.

Legal basis: Art. 6(1)(b) GDPR (performance or initiation of an exhibitor contract).

Storage period:

Upon acceptance: for the duration of the event and the business relationship; thereafter, statutory retention periods apply.
In the event of rejection or no response: up to 12 months after the end of the relevant event season, in order to be able to contact you again the following year. You may object to such follow-up contact at any time informally ([email protected]).

7.3 Job Applications

If you send us application documents for a job at Gut Stockseehof, we process them as part of the application process.

Data processed: cover letter, CV, references, contact details and any other information you submit.

Purpose: Conducting the application process, selecting suitable candidates.

Legal basis: Section 26(1) BDSG in conjunction with Art. 6(1)(b) GDPR (establishing an employment relationship); Art. 9(2)(b) GDPR for any special categories of personal data (e.g. severe disability).

Storage period:

Upon hiring: relevant documents are transferred to the personnel file.
In the event of rejection: at the latest four months after completion of the application process; thereafter deletion. This period takes into account the two-month limitation period under Section 15(4) of the German General Equal Treatment Act (AGG) plus a reasonable buffer for postal delivery and processing.
Storage beyond this in our talent pool is only carried out with your express consent (Art. 6(1)(a) GDPR).

§ 8 Newsletter

You can subscribe to our occasion-based newsletter via our website, in which we inform you of dates, programme highlights, seasonal news from Gut Stockseehof, and occasionally recipes, ahead of events.

8.1 Sign-Up via Double-Opt-In

Sign-up takes place via a form on our website. We collect only your email address. After submitting the form, you receive a confirmation email with an activation link. Your sign-up only becomes effective once you click this link (double-opt-in procedure).

Data processed:

email address
IP address, date and time of sign-up and confirmation (to provide proof of consent)

Purpose: Information about upcoming events and seasonal news from Gut Stockseehof.

Legal basis: Art. 6(1)(a) GDPR (consent). The storage of sign-up and confirmation data also serves to fulfil our obligation to provide proof under Art. 7(1) GDPR (Art. 6(1)(c) GDPR).

Storage period: Until you withdraw your consent. You may unsubscribe at any time via the unsubscribe link at the end of every newsletter or by sending an informal notice to [email protected]. After withdrawal, your data is removed from the recipient list immediately; the sign-up and confirmation log is retained for three more years for evidentiary purposes.

8.2 Sending via Mailchimp

For the management of our recipient list and the sending of newsletters, we use the service Mailchimp.

Provider: The Rocket Science Group, LLC d/b/a Mailchimp, 405 N Angier Ave NE, Atlanta, GA 30308, USA (subsidiary of Intuit Inc.)

Purpose: Sending and managing our newsletters, providing the sign-up and unsubscribe functions, providing delivery and dispatch statistics.

Data processed: email address and the sign-up metadata stored for evidentiary purposes (see § 8.1).

Data transfer to the USA: The recipient list is processed on Mailchimp servers in the United States. We base the third-country transfer on EU Standard Contractual Clauses (Art. 46(2)(c) GDPR); additionally, Mailchimp's parent company Intuit Inc. is self-certified under the EU-US Data Privacy Framework (Art. 45 GDPR in conjunction with Implementing Decision (EU) 2023/1795).

Data processing: A data processing agreement under Art. 28 GDPR is in place with Mailchimp (Mailchimp Data Processing Addendum).

Reach measurement (open and click tracking): Mailchimp offers the option to record, via a 1×1 pixel embedded in a newsletter, whether and when you open the newsletter, and to record, via redirected links, which links you click. To the extent that we activate these functions for a particular campaign, this is based on your consent to receive the newsletter (Art. 6(1)(a) GDPR). You may object to this tracking at any time by unsubscribing from the newsletter.

Details: https://www.intuit.com/privacy/statement/mailchimp/

§ 9 Cookies in Detail

Below we list all cookies and comparable storage mechanisms used on this website, organised by consent category. Cookies and storage entries in the "Functional" and "Marketing" categories are only set after you have consented via our cookie banner.

9.1 Strictly Necessary Cookies (Category "Essential")

These cookies are strictly necessary for the operation and security of the website. No consent is required under Section 25(2) no. 2 TDDDG.

Name	Provider	Purpose	Storage period	Type
`__cf_bm`	Cloudflare, Inc. (USA)	Bot detection, protection against malicious traffic	30 minutes	HTTP cookie
`_cfuvid`	Cloudflare, Inc. (USA)	Rate limiting, session identification	Session	HTTP cookie
`real_cookie_banner-*`	Real Cookie Banner (local, devowl.io GmbH)	Storage of your cookie consent to fulfil the obligation to provide proof (Art. 7(1) GDPR)	12 months	Local Storage

9.2 Functional Cookies (Category "Functional")

These cookies enhance comfort but are not strictly necessary.

Name	Provider	Purpose	Storage period	Type
`pll_language`	Polylang (local, on our WordPress server)	Storage of your selected display language (German/English/Danish)	12 months	HTTP cookie

9.3 Marketing Embeddings (Category "Marketing")

These embeddings are only activated after your consent in the cookie banner. Before consent, the content is replaced by a content blocker with a notice text.

Service	Provider	Purpose	Data processed	Third-country transfer
Google Maps	Google Ireland Ltd., Dublin / Google LLC, USA	Display of the directions map on the contact page	IP address, technical device information, location data (if permitted by the browser), cookies set by Google (`NID` 6 months, `1P_JAR` 1 month, `CONSENT` 16 months)	USA — EU-US Data Privacy Framework + EU Standard Contractual Clauses

9.4 Managing Your Consent

You may withdraw or adjust your consent at any time via the cookie banner icon at the bottom of the screen. When you withdraw consent, the cookies and storage entries requiring consent are removed; third-party cookies that have already been set (e.g. by Google) may need to be deleted in your browser additionally.

§ 10 Changes to This Privacy Policy

We reserve the right to update this privacy policy if data processing or the legal framework changes. The current version is always available at https://stockseehof.de/datenschutz.

Last updated: 29 April 2026