Privacy Policy

Data Controller
 

Name: Jennifer Serrat (operating as "The Hideout") 
Address: Bernhard-Lichtenbergstrasse 21, 10407 Berlin,Germany 
VAT ID: DE360470452 
Tax Number (Steuernummer): 31/373/03305
Email: hello@comehideout.com 
Website: www.comehideout.com
 

The Hideout is operated by Jennifer Serrat as an individual (sole proprietor / Einzelunternehmer), not as a registered corporation, LLC, or non-profit entity.
 

1. Introduction

Welcome to The Hideout. Your privacy matters to us, and we are committed to handling your personal data with care and transparency.
 

You can generally browse our website without providing any personal information. However, if you choose to use certain features — such as making a booking, contacting us, or subscribing to our emails — we may need to collect some personal data.
 

All personal data is processed in accordance with the General Data Protection Regulation (GDPR) (EU 2016/679) and applicable German federal data protection laws (Bundesdatenschutzgesetz – BDSG), as well as the German Telemedia Act (Telemediengesetz – TMG) where applicable.
 

2. Website Hosting (Wix.com)

This website is built and hosted on Wix.com.
Wix provides the platform infrastructure that allows us to operate www.comehideout.com and deliver our services to you.
 

When you visit our website, Wix may automatically collect and store certain technical data on secure servers. Wix may process data in countries outside the European Economic Area (EEA). Where this occurs, Wix ensures appropriate safeguards are in place in accordance with GDPR, including the use of Standard Contractual Clauses (SCCs).
 

For full details on how Wix handles data, please refer to Wix's Privacy Policy: https://www.wix.com/about/privacy
 

Legal basis: Legitimate interests (Art. 6(1)(f) GDPR) — necessary for the operation and delivery of our website.
 

3. Automatically Collected Data (Technical / Log Data)

When you visit www.comehideout.com, certain technical information is collected automatically by Wix's servers. This may include:

• Browser type and version

• Operating system

• Referring URL (the page that linked you to our site)

• Pages visited on our website

  ​Date and time of access

• IP address (anonymized where technically possible)

How we handle IP addresses
Our website is hosted on Wix, which uses IP addresses to provide analytics data such as visitor location. We have implemented the following measures to protect your privacy:

• Cookie consent requirement: Wix Analytics only collects visitor data — including IP-based location data for traffic reports — after the visitor actively consents to analytics cookies via the cookie consent banner. If you do not consent to analytics cookies, this data is not collected.

• Session Recordings: If we use Wix Session Recordings, we operate in Maximum Privacy mode, which provides the highest level of visitor anonymity and hides IP addresses.

• Google Analytics: We do not currently use Google Analytics. If we connect Google Analytics in the future, we will enable IP Anonymization and update this Privacy Policy accordingly.

• Site owner exclusion: Wix automatically excludes our own visits from analytics reports when we are logged into our Wix account, ensuring our activity does not skew visitor data
   

Purpose: This data is collected to ensure the proper functioning and security of the website, to improve user experience, and to generate anonymized usage statistics.

Important: This data is not used to personally identify you and is not combined with other personal data.

Legal basis:

• Strictly necessary technical data: Legitimate interests (Art. 6(1)(f) GDPR) — website security and functionality

• Analytics data (including IP-based location): Consent (Art. 6(1)(a) GDPR) — only processed after you consent to analytics cookies via the cookie banner

4. Personal Data We Collect

We only collect personal data when you voluntarily provide it.

This happens when you:

• Make a booking or reservation through our website

• Contact us via email (hello@comehideout.com) or through a website contact form

• Subscribe to receive email communications from us (opt-in)

• Complete and sign the Assumption of Risk and Waiver of Liability ("Waiver") prior to participating in an Experience
   

The personal data we may collect includes:

• First and last name for: Bookings, contact forms, email sign-up, Waiver

• Email address for: Bookings, contact forms, email sign-up, Waiver

• Phone number: Bookings, contact forms (where provided), Waiver

• Postal address: Bookings (where required for service delivery)

• Date of birth: Waiver (to verify age eligibility)

• Emergency contact details: Waiver (name, phone number, relationship)

• Medical and health information: Waiver (medical conditions, allergies, dietary requirements, injuries, medications)

• Media consent preference: Waiver (consent or refusal to appear in event photography/videography)

• Signature: Waiver (physical or electronic signature)

• Payment information: Processed securely via Stripe (see Section 6)

• Booking details: Event or service reservations

We will never sell your personal data to third parties. Your data is only shared when strictly necessary to deliver our services, process payments, or comply with legal obligations — and only as described in this policy.
 

Legal basis:

• Consent (Art. 6(1)(a) GDPR) — for email communications (opt-in) and media consent preferences

• Contract performance (Art. 6(1)(b) GDPR) — for processing bookings and fulfilling services

• Legitimate interests (Art. 6(1)(f) GDPR) — for responding to enquiries

• Legal obligation (Art. 6(1)(c) GDPR) — where data retention is required by law

• Vital interests (Art. 6(1)(d) GDPR) — for medical/health data collected via the Waiver, to the extent necessary to protect the vital interests of the participant in an emergency

• Explicit consent (Art. 9(2)(a) GDPR) — for the processing of special category data (health/medical information) collected via the Waiver
   

5. Waiver-Related Data
 

5.1 What We Collect and Why

Prior to participation in any Experience offered by The Hideout, all participants are required to complete and sign an Assumption of Risk and Waiver of Liability ("Waiver"). The Waiver collects the following personal data:
 

• Full name: Identification of the participant; linking the Waiver to the booking

• Date of birth: Verification of the minimum age requirement (21 years)

• Email address: Contact and identification; linking to booking records

• Phone number: Emergency contact purposes

• Emergency contact details (name, phone, relationship): To enable The Hideout to contact a designated person in case of an emergency during the Experience

• Medical and health information (medical conditions, allergies, dietary requirements, injuries, current medications): To enable The Hideout staff to be aware of conditions that may affect participation or require special attention; to ensure participant safety; to respond appropriately in a medical emergency

• Media consent preference (consent or refusal to appear in photographs/videos): To record the participant's preference regarding the use of their image in promotional materials

• Signature (physical or electronic): To evidence the participant's acknowledgment of risks, voluntary assumption of risk, and agreement to the Waiver terms
   

5.2 Special Category Data (Health Information)

The medical and health information collected through the Waiver constitutes special category data under Article 9 of the GDPR. This type of data receives enhanced protection.
 

We process this data based on the following legal grounds:
 

• Legal Basis: Explicit consent (Art. 9(2)(a) GDPR)

  • Application: By completing and signing the medical disclosure section of the Waiver, the participant provides explicit consent to the processing of their health data for the purposes described
     

• Legal Basis: Vital interests (Art. 9(2)(c) GDPR)

  • Application: In an emergency situation where the participant is physically or legally incapable of giving consent, we may process health data to protect their vital interests (e.g., sharing medical information with emergency services)
     

We will only use your medical and health information for the following purposes:

• Ensuring your safety during the Experience

• Enabling staff to accommodate specific needs (e.g., allergies, dietary requirements, physical limitations)

• Responding to medical emergencies during the Experience, including sharing relevant information with emergency medical services if necessary

• Fulfilling our duty of care as the event organiser
   

We will NOT:

• Share your medical information with other participants

• Use your medical information for marketing purposes

• Retain your medical information longer than necessary (see Section 5.3)
   

5.3 Waiver Data Retention

Signed Waivers and the personal data contained within them are retained as follows:

 

• Type: Waiver document (including name, date of birth, signature, emergency contacts, media preference)

  • Retention Period: 10 years after the date of the Experience

  • Reason: To defend against potential legal claims. The standard limitation period for contractual claims under German law is 3 years (§§ 195, 199 BGB). However, claims relating to personal injury or damage arising from intentional acts may have limitation periods of up to 30 years (§ 197 BGB). A 10-year retention period provides a reasonable balance between legal protection and data minimization. This period also aligns with German commercial and tax retention obligations (§ 257 HGB / § 147 AO) where the Waiver forms part of the event's business records.
     

• Type: Medical and health information (medical conditions, allergies, medications)

  • Retention Period: 6 months after the date of the Experience

  • Reason: Health data is special category data under GDPR Art. 9 and should be retained only for as long as strictly necessary. Once the Experience has concluded and a reasonable post-event period has passed (to address any immediate post-event medical claims or follow-up), this data is no longer needed. 6 months provides adequate time for any immediate health-related claims to surface while respecting the principle of data minimisation.

​

• Type: Emergency contact details

  • Retention Period: 6 months after the date of the Experience

  • ​Reason: Emergency contact information is only relevant during and immediately after the Experience. Retained for the same period as medical data for consistency.

5.4 Separation and Secure Storage of Waiver Data

Where technically feasible, medical and health information will be stored separately from other Waiver data, so that it can be deleted on its own schedule (6 months) while the remainder of the Waiver is retained for the longer period (10 years).
 

All Waiver data — whether collected digitally (e.g., via Tally.so) or in paper form — is stored securely with access limited to authorized individuals only.
 

• Digital Waivers (Tally.so):

  • Stored within Tally.so's secure infrastructure

  • Access restricted to authorized members of The Hideout

  • Subject to Tally.so's data processing agreement and security measures
     

• Paper Waivers:

  • Stored in a locked, secure location

  • Access limited to Jen Serrat and authorized staff

  • Destroyed securely (shredded) after the applicable retention period
     

5.5 Your Rights Regarding Waiver Data

You may exercise any of the rights described in Section 10 of this Privacy Policy with respect to your Waiver data, including the right to:

• Access your Waiver data — request a copy of the information we hold

• Rectify inaccurate information in your Waiver

• Request erasure ("right to be forgotten") of your Waiver data — subject to the retention periods described above and any overriding legal obligation to retain the data

• Restrict processing — request that we limit how we use your Waiver data

• Withdraw consent — you may withdraw your consent to the processing of your medical/health data at any time by contacting us at hello@comehideout.com
   

Important: Withdrawing consent to the processing of medical/health data after signing the Waiver will result in the deletion of your medical information from our records.

 

However:

This does not retroactively affect the lawfulness of processing carried out before the withdrawal

It does not affect the validity of the Waiver itself (the assumption of risk and liability provisions remain in effect).
 

It may limit our ability to accommodate specific medical needs during the Experience.
 

The non-medical portions of the Waiver (name, signature, risk acknowledgment) will be retained for the applicable retention period.
 

To exercise any of these rights, please contact us at: hello@comehideout.com
 

6. Third-Party Service Providers

To operate our website and deliver our services, we work with a limited number of trusted third-party providers. These providers only process your data on our behalf and in accordance with GDPR requirements.
 

• a) Wix.com (Website Hosting & Analytics)

  • Purpose: Website hosting, built-in website analytics (Wix Analytics), and general platform functionality.

  • Data processed: Technical log data, cookies, and any data you submit through the website.

  • Role: Wix acts as a data processor on our behalf. Jen Serrat / The Hideout is the data controller for all personal data collected through the Website.

  • Data Processing Agreement (DPA): Wix provides a binding Data Processing Agreement that is automatically accepted as part of the overall agreement when using Wix services. Under this DPA, Wix agrees to process personal data only within the purposes and instructions set forth in the agreement. The DPA does not need to be separately activated — it is binding for all Wix users. You can review the Wix Data Processing Agreement directly.

  • Privacy Policy: https://www.wix.com/about/privacy
     

• b) Tally.so (Forms & Data Collection)

  • Purpose: Processing contact forms, bookings, and collecting information you submit (e.g., name, email address, phone number, address). Also used for digital collection of the Waiver (where applicable).

  • Data processed: Any personal data you enter into forms on our website or via Tally.so-hosted forms, including Waiver data (name, date of birth, emergency contacts, medical information, signature, media preference).

  • Special category data: Where Tally.so is used to collect the Waiver, medical and health information (special category data under GDPR Art. 9) will be processed through the Tally.so platform. Tally.so acts as a data processor on our behalf.

  • Privacy Policy: https://tally.so/help/privacy-policy
     

• c) Stripe (Payment Processing)

  • Purpose: Secure processing of payments for bookings and services.

  • Data processed: Payment card details, billing information, and transaction data. Note: We do not store your full payment card details on our website or servers. All payment data is handled directly by Stripe in a PCI-DSS compliant environment.

  • Privacy Policy: https://stripe.com/privacy

​These third-party providers may transfer data outside the EEA. Where this occurs, appropriate safeguards (such as Standard Contractual Clauses) are in place to protect your data in accordance with GDPR.
 

Legal basis: Contract performance (Art. 6(1)(b) GDPR) and legitimate interests (Art. 6(1)(f) GDPR).
 

7. Cookies and Tracking Technologies

Our website uses cookies — small text files stored on your device when you visit www.comehideout.com.
 

What cookies do we use?

• Cookie Type: Strictly necessary cookies

  • Purpose: Required for the website to function properly (e.g., session management, security). These cannot be disabled.

  • Consent Required? No — exempt under § 25 Abs. 2 Nr. 2 TTDSG

 

• Cookie Type: Analytics cookies (Wix Analytics)

  • Purpose: Used to understand how visitors interact with the website (e.g., pages visited, time on site). Data is anonymized and aggregated.

  • Consent Required? Yes — only activated after you consent via the cookie banner

 

• Cookie Type: Functional cookiesHelp remember your preferences (e.g., language, region).

  • Puporse: We use Wix's built-in analytics tools to track website usage. We do not currently use third-party analytics tools such as Google Analytics, Facebook Pixel, or similar tracking technologies.

  • Consent Required? Yes — only activated after you consent via the cookie banner

 

Managing your cookies 
You have the right to control cookies at any time. 

You can:

• Adjust your browser settings to block or delete cookies

• Use the cookie consent banner on our website to manage your preferences

Please note that disabling cookies may affect the functionality and user experience of the website.
 

For more information about how Wix uses cookies, visit: https://www.wix.com/about/privacy

A separate, detailed Cookie Policy is available at www.comehideout.com/cookie-policy.

Legal basis: Consent (Art. 6(1)(a) GDPR) for non-essential cookies; legitimate interests (Art. 6(1)(f) GDPR) for strictly necessary cookies.
 

8. Contact via Website or Email

When you contact us via a form on our website or by sending an email to hello@comehideout.com:

• The personal data you provide (e.g., name, email address, message content) will be stored solely for the purpose of processing and responding to your enquiry.

• Your data will not be shared with third parties without your consent.

• We will retain this data only as long as necessary to handle your request, unless a longer retention period is required by law.
   

Legal basis: Legitimate interests (Art. 6(1)(f) GDPR) and, where applicable, contract performance (Art. 6(1)(b) GDPR).
 

9. Email Communications
 

9.1

If you subscribe to receive emails from The Hideout, you do so through a clear opt-in process. You can unsubscribe at any time by:

• Clicking the "unsubscribe" link included in every email

• Contacting us directly at hello@comehideout.com
   

9.2

We will never add you to our mailing list without your explicit consent.
 

9.3

Transactional emails related to an active booking (e.g., booking confirmation, event logistics, post-event follow-up) are sent on the basis of contract performance and do not require separate marketing consent.
 

Legal basis: Consent (Art. 6(1)(a) GDPR) for marketing emails; contract performance (Art. 6(1)(b) GDPR) for transactional emails.
 

10. Data Retention

We retain personal data only for as long as necessary to fulfill the purpose for which it was collected, or as required by law. Specifically:

• Data Type: Booking and transaction records

  • Retention Period: 10 years after the transaction

  • Reason: Required under German tax and commercial law (§ 257 HGB / § 147 AO)

 

• Data Type: Email subscriber data

  • Retention Period: Until you unsubscribe or withdraw consent​

  • ​Reason: Consent-based; deleted upon withdrawal

 

• Data Type: Contact form enquiries

  • Retention Period: Until the enquiry is resolved, then deleted​

  • ​Reason: Unless a legal retention obligation applies

 

• Data Type: Technical log data (Wix)

  • Retention Period: Managed by Wix in accordance with their data retention policies

  • Reason: See Wix Privacy Policy

​

• Data Type: Waiver document (name, DOB, signature, emergency contacts, media preference)

  • Retention Period: 10 years after the date of the Experience

  • Reason: Legal protection against potential claims (§§ 195, 197, 199 BGB); alignment with commercial retention obligations (§ 257 HGB / § 147 AO)

 

• Data Type: Medical and health information (from Waiver)

  • Retention Period: 6 months after the date of the Experience

  • Reason: Special category data (GDPR Art. 9); retained only as long as strictly necessary for safety and immediate post-event purposes; data minimisation principle

 

• Data Type: Emergency contact details (from Waiver)

  • Retention Period: 6 months after the date of the Experience

  • Reason: Only relevant during and immediately after the Experience; deleted alongside medical data

 

Once data is no longer needed and no legal retention obligation applies, it will be securely deleted or anonymized. 

For Waiver data specifically, medical information and emergency contacts will be deleted on their shorter schedule (6 months) while the remaining Waiver document is retained for the longer period (10 years). See Section 5.3–5.4 for full details.
 

11. Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights regarding your personal data:

• Right of access (Art. 15 GDPR) — Request a copy of the personal data we hold about you, including any Waiver data.

• Right to rectification (Art. 16 GDPR) — Request correction of inaccurate or incomplete data.

• Right to erasure (Art. 17 GDPR) — Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations. Note: Waiver data subject to a legal retention period may not be deleted until that period has expired.

• Right to restriction of processing (Art. 18 GDPR) — Request that we limit how we use your data in certain circumstances.

• Right to data portability (Art. 20 GDPR) — Request your data in a structured, commonly used, machine-readable format.

• Right to object (Art. 21 GDPR) — Object to data processing based on legitimate interests, including direct marketing.

• Right to withdraw consent (Art. 7(3) GDPR) — Withdraw any consent you have previously given, at any time, without affecting the lawfulness of processing carried out before withdrawal. This includes consent for email communications, non-essential cookies, and the processing of medical/health data collected via the Waiver.
   

How to exercise your rights

To exercise any of these rights, please contact us at: hello@comehideout.com
 

We will respond to your request within one month of receipt, as required by GDPR. In complex cases, this period may be extended by a further two months, and we will inform you accordingly.

 

Right to lodge a complaint

If you believe that your personal data has been processed unlawfully, you have the right to lodge a complaint with a supervisory authority.
 

The relevant authority for Berlin, Germany is:

Berliner Beauftragte für Datenschutz und Informationsfreiheit Friedrichstr. 219, 10969 Berlin,

Germany Website: https://www.datenschutz-berlin.de 
Email: mailbox@datenschutz-berlin.de

 

12. Legal Bases for Processing

We process your personal data based on one or more of the following legal grounds:

 

• Legal Basis: Consent (Art. 6(1)(a) GDPR)

  • When It Applies: When you opt in to email communications or accept non-essential cookies

 

• Legal Basis:Explicit consent (Art. 9(2)(a) GDPR)

  • When It Applies: When you provide medical/health information via the Waiver

 

• Legal Basis: Contract performance (Art. 6(1)(b) GDPR)

  • When It Applies: When processing is necessary to fulfill a booking or provide a requested service

 

• Legal Basis: Legal obligation (Art. 6(1)(c) GDPR)

  • When It Applies: When we are required to retain data under German tax or commercial law

 

• Legal Basis: Vital interests (Art. 6(1)(d) / Art. 9(2)(c) GDPR)

  • When It Applies: In emergency situations where medical/health data must be shared to protect the participant's life or physical safety

 

• Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR)

  • When It Applies: When processing is necessary for website operation, security, responding to enquiries, defending legal claims, or improving our services — provided your rights do not override these interests
     

13. Data Security

We take the protection of your personal data seriously and implement appropriate technical and organizational measures to safeguard it against unauthorized access, loss, alteration, or destruction.

 

These measures include:

• Use of SSL/TLS encryption for data transmitted via the website

• Secure hosting through Wix with firewall and server protections

• PCI-DSS compliant payment processing through Stripe

• Access to personal data limited to authorized individuals only

• Secure storage of Waiver documents (digital and paper) with restricted access

• Separate storage of medical/health data where technically feasible, to enable deletion on a shorter schedule

• Secure destruction (shredding) of paper Waivers after the applicable retention period

 

However, please be aware that no method of data transmission over the internet or electronic storage is 100% secure. While we strive to protect your personal data, we cannot guarantee absolute security.
 

14. International Data Transfers

Some of our third-party service providers (Wix, Tally.so, Stripe) may transfer and process your data in countries outside the European Economic Area (EEA), including the United States.
 

Where Tally.so is used to collect Waiver data (including medical/health information), this data may be transferred outside the EEA as part of Tally.so's infrastructure. Appropriate safeguards are in place as described below.
 

Where such transfers occur, we ensure that appropriate safeguards are in place in accordance with GDPR, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission

• EU-U.S. Data Privacy Framework (where applicable and certified)

• Other lawful transfer mechanisms recognized under GDPR
   

15. Children's Privacy

Our website and services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe that a child has provided us with personal data, please contact us immediately at hello@comehideout.com, and we will take steps to delete such data.
 

Participation in The Hideout's Experiences requires a minimum age of 21 years, as set out in our Terms & Conditions.
 

16. Links to External Websites

Our website may contain links to third-party websites or services that are not operated by us. We have no control over, and assume no responsibility for, the content, privacy policies, or practices of any third-party sites. We encourage you to review the privacy policies of any external websites you visit.
 

17. Changes to This Privacy Policy

We reserve the right to update or modify this Privacy Policy at any time to reflect changes in our practices, legal requirements, or operational needs.
 

Any changes will be posted on this page with an updated "Last Updated" date. We encourage you to review this Privacy Policy periodically.
 

For significant changes that affect how we process your personal data, we will make reasonable efforts to notify you (e.g., via email or a notice on our website).
 

18. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data — including questions about Waiver data — please contact us:
 

📧 Email: hello@comehideout.com 🌐 Website: www.comehideout.com
 

This Privacy Policy was last updated on March 30, 2026.