Skip to content
Choose Your Destination caret-down


Vagabond Club GmbH

Thank you for your interest in our company and our website.

Vagabond Club GmbH, with the business address Janis-Joplin-Promenade 26 / Door 801, 1220 Vienna, Austria, (hereinafter referred to as “Vagabond Club”), operates an online portal for its customers and interested parties at the web address “”. Further information about Vagabond Club can be found in the imprint of this page.

This privacy notice applies to all data processing carried out on behalf of Vagabond Club in our subsidiary hotels or hotels under our management, as well as to the customer offers, reservation websites and newsletter services provided on the online portal.

Vagabond Club is part of a group of companies. In order to fulfil its obligations, Vagabond Club also uses affiliated companies in a division of labour.


This general data protection information describes and explains our basic commitment to data protection and general security measures. We fulfil our data protection information obligations by means of separate data protection information for the individual customer offers, which form an integral part of this data protection information. Further information and a link to the documents can be found below under “Data protection information by customer offer”.

Personal data is information that relates to an identified or identifiable natural person. Examples of such data include their name, date of birth, home address, telephone number, etc., as well as any user data provided to Vagabond Club when registering and setting up their customer account.


Online services


Vagabond Club respects the privacy of the users of its website. The protection of your personal data and information that may lead to the identification of your identity is of particular importance to us. Vagabond Club’s goal is to continually meet our customers’ expectations of our products and services. This includes treating the data entrusted to us in the context of our customer relationship with the utmost care and due responsibility. We undertake to protect your data in accordance with the applicable data protection laws. This also applies in particular to our cooperation with partners and third parties.

For this reason, we are constantly reviewing and improving our technical and physical security rules. In an “Information Security Management System” – “ISMS” for short, we have implemented security measures through rules and precautions to protect your personal data on all Vagabond Club operated websites and servers from accidental loss, misuse and alteration while under our control.

We also ensure compliance with data protection requirements through regular training of our staff, the provision of a data protection officer and through the written assignment of the obligation to maintain data confidentiality to employees and external order processors.


We do not intend the unauthorised collection of personal data from minors; unfortunately, however, we cannot always verify the age of the persons accessing and using our websites. If a minor submits his or her data to us without the permission of the parent or guardian, we will ask the parent or guardian to contact us so that this data can be deleted and the minor can no longer be contacted by us (e.g. advertising material).


In order to fulfil our data protection information obligations, we have created separate data protection information for our customer groups for better readability and transparency. By navigating to the bottom of this page you can find the information regarding our customer groups.

In the data protection information by customer group, we provide detailed information about

Where the data protection information refers to the fact that we process data based on your consent, this naturally presupposes that you have effectively given us this consent. If you have not given your consent, we will not process your personal data on the basis of your consent.

Of course, our online offers (websites) can also be visited without providing personal information about the user. In this case, but also in the case of use of the online offer by registered users, access data without personal reference (e.g. name of the Internet service provider, the page from which the user visits the websites, the anonymised IP address, date and time of the visit) are stored. Data protection information on this type of data processing can be found in the “Cookie Information”. This information also includes explanations regarding “social plug-ins”, which can be used to share the content of our website with other websites.


If you would like to update your information, data usage or preferred method of communication, or if you no longer wish to receive marketing communications from Vagabond Club, you can contact us as follows:

By e-mail:

By phone: +43-1-333 73 73 -0

By mail: Vagabond Club GmbH, Janis-Joplin-Promenade 26 / Door 801, 1220 Vienna, Austria

If you have any comments or questions about Vagabond Club’s privacy practices or our privacy information, you can contact us using one of the methods below:

By e-mail:

By phone: +43-1-333 73 73 -0


Processing activity

Keeping information about the responsible person’s company available online for interested parties and customers


Vagabond Club GmbH, Janis-Joplin-Promenade 26 / Door 801, 1220 Vienna, Austria

Purposes of data processing on the legal basis of performance or preparation of the contract

Legal basis of the data processing

Change of purpose

The Controller shall not change the purpose of the processing of personal data.

Description of the (overriding) legitimate interests for IT security purposes:

The controller stores the IP addresses of the users for a period of 7 days in order to be able to respond to targeted attacks in the form of server overload (“denial of service” attacks) and other damage to the systems. The controller has an overriding legitimate interest in this data processing for the purpose of maintaining the functionality of its services provided online (recital 49 of the GDPR).

Assessments of personal aspects of the client

An evaluation of personal aspects of the customer does not take place.

Obligation to provide data

The customer is under no obligation to provide data.

Automated decision making

The client is not subject to any automated decision that has legal effect vis-à-vis him.

Types of data processed by the data controller: IP addresses (log files); terminal device data; browser used; device used; communication protocol; account usage information (e.g. creation date, number of logins, date of last request); newsletter subscription information; user ID; Facebook user ID; Facebook email address; Facebook profile link; date of last Facebook match; location.

Data sources (unless disclosed by the client or collected by the data controller)

e.g. login via Facebook; social media channels: (for more information see point 12)

External recipients of data Categories of external economic service providers (order processors) IT service providers:

Banks- Payment service providers: Payment information

Telecommunications companies: Shipping addresses

IT service provider for voucher booking processing: Booking details

Google Analytics, services of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland: anonymised IP address, website title, browser-specific information, information about website usage.

“Social-plug-ins” (Facebook Inc., 1 Hacker Way, 94025 Menlo Park, USA; Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA; Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA; Youtube LLC, principal place of business at 901 Cherry Avenue, San Bruno, CA 94066, USA – represented by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; LinkedIn Ireland UC.; Wilton Place,Dublin 2, Ireland): IP address, URLs, cookies and browser settings data.

Third-country transfer

The following data is transferred to countries outside the EU in the course of data processing:

Country | Application | Data types

USA (EU-US Privacy Shield) | Google Analytics | anonymised IP address, website title, browser-specific information, information on website use

USA (EU-US Privacy Shield) | Facebook, Twitter, Instagram, Youtube, LinkedIn | Social plug-ins (after consent by double click: IP address, website title, browser-specific information, information on website usage with opt-in

Storage period

Non-registered clients:

The personal data (especially IP address) of (unregistered) website visitors are stored for 7 days for IT security purposes.

Registered customers (newsletter subscribers):

The data of registered customers are processed by the responsible party on the basis of the above-mentioned legal basis for the duration of the contractual relationship. The data can be changed and deleted by the responsible person at any time. The user contract ends in any case by the cancellation of the newsletter subscription; this leads to an immediate deletion.

Rights of the data subject

Art 15 GDPR “Information”: The customer has the right to request information about whether personal data about him or her are being processed.

Art 16 DSGVO “rectification”: The customer has the right to request the rectification of inaccurate personal data or its completion without delay.

Art 17 DSGVO “Deletion”: The customer has the right to demand that the personal data be deleted without delay, provided that the reasons stated in Art 17 (1) DSGVO are fulfilled.

Art 18 GDPR “Restriction”: The customer has the right to request that the processing of personal data is restricted, provided that the reasons stated in Art 18 (1) GDPR are fulfilled.

Art 20 DSGVO “Data portability”: The customer has the right to receive his personal data in a structured, common and machine-readable format.

Art 21 DSGVO “Objection” The customer has the right to object at any time to the processing of his personal data on the basis of overriding legitimate interest.

Objection to direct advertising: The customer has the right to object at any time to the processing of his/her personal data for the purpose of direct advertising.

Right of appeal

Art 77 GDPR:

Every customer has the right to lodge a complaint with the supervisory authority if he or she considers that the processing of personal data concerning him or her infringes this Regulation.

Regulatory Authority Austria

Austrian Data Protection Authority

Barichgasse 40-42, 1030 Vienna, Austria

Tel.: +43 1 52 152-0



Federal Commissioner for Data Protection and Freedom of Information

Husarenstraße 30

53117 Bonn

Phone: +49 228 997799 0; +49 228 81995 0

Fax: +49 228 997799 550; +49 228 81995 550


The competence for complaints is split among different data protection supervisory authorities in Germany. Competent authorities can be identified according to the list provided under

Last update: August 2021

Book a Stay

Choose Location caret-down

Arrival Sun 05 Dec

Departure Mon 06 Dec

Guests Per Room 01