Legal

Privacy Policy

Last updated: May 2026

We are pleased to welcome you to the MIRA KODA UG (haftungsbeschränkt) website. The protection of your personal data is important to us. Below we inform you in detail about the processing of your data in accordance with the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

1. Data Controller

MIRA KODA UG (haftungsbeschränkt)
Nürnberg, Deutschland

Klaus Felmet & Mixia Alvarado Agurto
E-Mail: [email protected]
Website: www.mirakoda.com

Note: We have not appointed a Data Protection Officer, as the requirements of Art. 37 GDPR do not apply to us. For data protection enquiries, please contact us directly at the email address above.

2. Hosting

Hetzner Online GmbH
Industriestr. 25, 91710 Gunzenhausen, Deutschland

Hetzner processes technically necessary server data (e.g. IP addresses, timestamps, pages accessed) on our behalf as a data processor pursuant to Art. 28 GDPR. Processing takes place exclusively on servers within the European Union. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in the secure and stable operation of the website).

3. Contact Form

When you send us an enquiry via our contact form, we collect the following data:

  • Name
  • Email address
  • Message content

This data is processed to handle your enquiry and get in touch with you. The legal basis is Art. 6(1)(b) GDPR (pre-contractual measures) or, for general enquiries, Art. 6(1)(f) GDPR (legitimate interest). Data is not passed on to third parties except our technical service providers (Hetzner, see above), and will be deleted after 6 months at the latest if no contract is concluded.

4. Customer Portal

Registered customers can access travel documents, files, and photos via our customer portal. In the portal, we process:

  • Login credentials (email, password in encrypted form)
  • Uploaded travel documents and photos
  • Communication relating to your booking

The legal basis is Art. 6(1)(b) GDPR (performance of contract). Data is retained in the portal for 1 year after completion of the trip and then deleted, unless statutory retention obligations apply.

5. Website Analytics

We use Umami Analytics, a privacy-friendly, cookieless analytics tool that we operate ourselves on our own infrastructure (Hetzner, Germany). Umami does not collect any personal data and does not use cookies. Only anonymised, aggregated usage statistics are recorded (e.g. number of page views, device type used). Identification of individual persons is neither possible nor intended. As no personal data is processed, the GDPR does not apply to this processing. As a precautionary measure, we rely on Art. 6(1)(f) GDPR (legitimate interest in website optimisation).

We do not use tracking cookies, third-party analytics cookies, or retargeting on this website.

6. Cookies

Our website does not use tracking or analytics cookies. Technically necessary session cookies may be used for the operation of the customer portal only. These cookies are deleted when you close your browser and do not require consent under § 25(2) TTDSG.

7. Email Communication

When you contact us by email, we process your email address and the content of your message. We use Google Workspace (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) as our email service. Google processes data on our behalf on the basis of EU Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR. The legal basis for email processing is Art. 6(1)(b) or (f) GDPR.

8. Disclosure of Data to Third Parties

We only pass on your personal data when:

  • it is necessary to fulfil a travel booking (e.g. to hotels, airlines, local partners) — legal basis Art. 6(1)(b) GDPR;
  • we are legally obliged to do so;
  • you have expressly consented.

In the context of travel bookings, it may be necessary to transfer data to third countries outside the EEA (e.g. for travel to Dubai or other non-EU countries). In such cases, the transfer is based on Art. 6(1)(b) GDPR (performance of contract) or your explicit consent. We will inform you separately about third-country transfers during the booking process.

9. Retention Periods

We store your personal data only for as long as necessary for the respective purposes or as required by statutory retention obligations:

  • Contact enquiries without contract conclusion: 6 months
  • Customer data in CRM: 3 years after end of contract
  • Booking documents, invoices: 10 years (§ 147 AO / § 257 HGB)
  • Customer portal content: 1 year after end of trip

10. Your Rights as a Data Subject

Under the GDPR, you have the following rights:

  • Right of access (Art. 15 GDPR): You may request information about the data stored about you.
  • Right to rectification (Art. 16 GDPR): You may request the correction of inaccurate data.
  • Right to erasure (Art. 17 GDPR): Under certain conditions, you may request the deletion of your data.
  • Right to restriction of processing (Art. 18 GDPR).
  • Right to data portability (Art. 20 GDPR).
  • Right to object (Art. 21 GDPR): You may object at any time to processing based on Art. 6(1)(f) GDPR.
  • Right to withdraw consent (Art. 7(3) GDPR): Any consent given may be withdrawn at any time with effect for the future.

To exercise your rights, please contact: [email protected]

11. Right to Lodge a Complaint

You have the right to lodge a complaint with the competent supervisory authority. For MIRA KODA UG, this is:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18, 91522 Ansbach
Telefon: +49 (0)981 53-1300
Website: www.lda.bayern.de

12. Data Security

Our website transmits data exclusively in encrypted form via the HTTPS protocol (TLS). We implement appropriate technical and organisational measures in accordance with Art. 32 GDPR to protect your data against unauthorised access, loss, or misuse.

13. Updates to this Privacy Policy

We reserve the right to update this Privacy Policy if changes are made to our website or the legal framework. The current version will always be available on this page. Last updated: May 2026.