Privacy Policy

Last version: April 2026

In accordance with applicable data protection regulations, this Privacy Policy aims to help you understand how your personal data is processed depending on the type of data subject.

1. Data controller

CARNECT is the trading name of MicroNexus GmbH (hereinafter, “CARNECT”) whose registered number is 4391036 and whose registered address at CS Business Center, 5th Fl, Hohe Bleichen 22, 20354 Hamburg (Germany).

The Data Controller for the processing of the personal data you have provided us is CARNECT.

2. Data protection officer (DPO)

CARNECT belongs to a group of companies, referred altogether as HBX GROUP (hereinafter, “HBX GROUP”). HBX GROUP, and therefore, CARNECT has a Global Data Protection Officer to respond to any queries, requests or clarifications regarding the processing of personal data that may be made by CARNECT in the following email address dataprotection@carnect.com or at our postal address, mentioned in the paragraph above.

3. How did we obtain your data?

The personal data processed will be that which you provide to us through the various channels that CARNECT makes available to you.

For compliance purposes and Know Your Business (KYB) activities, we may obtain personal data from third parties (such as service providers) for fraud detection and prevention purposes.

When you visit the CARNECT site various technologies are used to collect and store information, which may include the use of cookies or similar technologies to identify your browser or device. You can obtain more information in our Cookie Policy.

4. What personal data do we process, for what purpose and for what reason

The categories of data, purposes and applicable legal basis are detailed below according to each data subject.

4.1. Customer and potential customer

Categories of data processed

  • Identification data: name, surname, passport number.
  • Contact data: email, telephone number.
  • Payment and billing data: financial data required to process payment and billing (e.g. credit cards).
  • Any additional information you provided: any request or information you choose to share (e.g., special requirements).
  • Browsing/technical data: browsing details, preferences and interests; cookie-related data where applicable.
  • Preferences and requirements regarding your bookings.
  • Browsing preferences and interests.

Legal basis and purposes

a) Performance of a contract or application of pre-contractual measures:

  • Manage the contractual relationship and provide the contracted services (service management, quality, billing, collection and withdrawal/cancellation where applicable).
  • Send confirmations and notifications related to bookings (including modifications) by electronic or other means, where requested or necessary for the service.
  • Process payments through authorised providers and support fraud prevention (e.g., billing address checks).

b) Legitimate interests:

  • Send commercial communications about CARNECT goods and services similar to those purchased and manage opt‑outs (including different unsubscribe options).
  • Create a general commercial profile and segment audiences to optimise marketing communications (see section “Automated decisions and profiling”).
  • Conduct surveys and market research to improve service quality and customer experience.
  • Manage and process legal, out‑of‑court and insurance claims.

c) Consent (where required):

  • Send marketing communications based on internet browsing and/or consumption habits, where applicable law requires consent.

4.2. General contact

Categories of data processed

  • Identifying data: name, surname.
  • Contact details: email address, telephone number.
  • Data related to the professional relationship with CARNECT.
  • Other personal data provided when contacting us (e.g., by email).

Legal basis and purposes

a) Legitimate interest:

  • To maintain corporate relationships with companies, entities, organisations or independent professionals.
  • Respond to questions, requests, or complaints through website sections, forms, email, or call centres.

4.3. Website / platform users

Categories of data processed

  • Navigation data, browsing and technical data and IP address.

Legal basis and purposes

a) Consent

  • Personalise and segment website content through cookies or similar technologies when consented to via the banner; you may withdraw consent in accordance with our Cookie Policy.

b) Necessity

  • Process information without consent when required to provide website services. Anonymized or aggregated information is also processed.

4.4. Social media users

Categories of data processed

  • Data derived from interaction with CARNECT or HBX GROUP profiles on social networks, in accordance with the user's privacy settings.

Legal basis and purposes

a) Performance of the terms and conditions of the social network

  • Manage interactions (e.g., respond to queries and comments posted on public profiles).

4.5. Applicable to all data subjects

Categories of data processed

  • Personal data provided and generated during your relationship with CARNECT.

Legal basis and purposes

a) Legal obligations

  • Fulfilment of civil, commercial, tax, accounting, and other legal obligations, including those related to data protection.

Note on legitimate interest: when legitimate interest is the legal basis, we ensure your interests, fundamental rights and freedoms do not override our legitimate interests through a balancing assessment. You may request more information by contacting our DPO (section 9).

If you fail to provide information that is a statutory or contractual requirement, or required to enter into a contract, we may not be able to provide the requested service or information, or enter into a contract, as applicable.

5. When and why do we disclose your personal data to third parties?

We may disclose your personal data to the recipient groups below, depending on the services provided and the nature of our relationship with you. All providers acting on our behalf process personal data under our instructions and are bound by appropriate confidentiality and data processing obligations.

5.1. Public authorities and judicial bodies

  • Who & why: Public administrations, tax authorities, regulatory bodies, courts and tribunals, and law enforcement agencies, to comply with legal obligations applicable to CARNECT (including responding to official requests and proceedings).
  • Legal basis: Legal obligation.

5.2. Service providers

a) Screening and compliance data base services

  • Who & why: To help prevent and identify fraud, terrorism, money laundering, bribery, corruption, and other crimes, individuals are screened using specialized service providers databases.
  • Legal basis: Legitimate interest.

b) For the provision of the services

  • Who & why: Suppliers that require access to personal data to provide services on our behalf, such as call centre providers, marketing service providers, banks and financial institutions.
  • Legal basis: Performance of a contract (where necessary to provide services), legal obligation (where applicable), and/or legitimate interest in operating and protecting our business.

5.3. Audit firms & corporate transactions

a) Audit companies

  • Who & why: Accounting and audit firms, to ensure compliance with statutory accounting and audit obligations.
  • Legal basis: Legal obligation.

b) Structural changes / business transfers

  • Who & why: Third parties and their advisors who are considering any structural modification, contribution, transfer, or acquisition of all or part of CARNECT or HBX GROUP, where such disclosure is required for those purposes.
  • Legal basis: Legitimate interest.

c) Intra‑group sharing (HBX GROUP entities)

  • Who & why: CARNECT may share your personal data with other HBX GROUP entities for internal administrative and centralized management purposes.
  • Legal basis: Legitimate interest.

CARNECT shares your personal data only with suppliers and third parties essential for providing contracted services, all under confidentiality agreements and legal requirements. We will not share your data with any other third parties without your consent, except when required by law or contract. If in the future sharing data becomes necessary, CARNECT will notify you promptly.

6. International data transfers

CARNECT works with suppliers outside the European Economic Area, the UK, and Switzerland if their data protection regulations are deemed equivalent by relevant authorities. If suppliers are in countries without such equivalence, CARNECT ensures all required privacy safeguards are in place after verifying local laws. Sometimes, your data is transferred abroad when necessary for booking or fulfilling contracts, such as sharing details with hotels or partners in your chosen destination.

Safeguards may include contractual clauses, extra guarantees, or binding corporate rules approved by data protection authorities. For EEA citizens, these clauses are available here: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN. Regulations also permit us to transfer your data internationally when needed to deliver requested services.

We also inform you that HBX GROUP has companies outside the European Union, the United Kingdom or Switzerland. In such cases, HBX GROUP requires these companies to comply with appropriate measures to protect your personal data in accordance with European regulations.

For more information about your privacy guarantees, or the destination countries to which we need to transfer your data in order to fulfil our contractual obligations to you, you can contact HBX GROUP at the addresses indicated in section 9 of this Privacy Policy.

7. Automated decisions and profiling

CARNECT uses automated processing to build a profile of your interests and preferences when we send certain marketing communications. In some cases, this profiling may affect you legally or in a similar way, because it determines the type of offers or marketing content you receive.

What this means in practice: we analyse information such as your interactions with our content and services and, where relevant, booking-related preferences to place you into broad segments. This profiling is general, not specific or exhaustive, and is intended to tailor marketing communications rather than to produce detailed conclusions about you.

You may exercise your rights (including the right to object where applicable) by contacting us via the details in section 9.

8. For how long do we keep your data?

We will keep your personal data only for as long as necessary for the purposes for which it was collected and to comply with statutory limitation and retention periods authorised by law, or until you withdraw consent where applicable. We retain personal data for a maximum of 10 years (statutory period referenced in relation to certain tax‑related offences), although shorter retention periods may apply in specific circumstances not linked to our contractual relationship.

In some circumstances, we anonymise personal data so it can no longer be linked to you and may continue to use it in anonymised form. When we no longer need personal data, we securely delete or destroy it.

CARNECT retains data for the duration of your relationship with CARNECT and, thereafter, until the statute of limitations on any legal liability arising from that relationship expires. For more information on specific retention periods, please contact us using the details in section 9.

9. How can you exercise your rights?

You may exercise, with respect to the data collected, the rights of access, rectification, object, deletion, limitation and portability of data, in accordance with the regulations on data protection and withdraw your consent, as well as the right to define directives regarding the fate of your data after your death. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

These rights may be exercised by sending a communication:

  • By email dataprotection@carnect.com with the subject line “Data Protection”; or
  • By post with proof of receipt by HBX GROUP , indicating “Data Protection” on the envelope, addressed to the following address:
    • DPO: Camí Son Fangos, 100, Palma de Mallorca, Spain
    • Company: CS Business Center, 5th Fl, Hohe Bleichen 22, 20354 Hamburg (Germany).

Furthermore, if you consider that the processing of your personal data violates the regulations or your privacy rights, you can file a complaint:

  • By post or e-mail to the addresses indicated above, or
  • To the Hamburg Commissioner for Data Protection and Freedom of Information, by accessing https://datenschutz-hamburg.de/ or at the address Ludwig-Erhard-Str. 22, 7. OG 20459 Hamburg (Germany), or
  • To another personal data protection authority, for example at the data protection competent in your usual place of residence, place of work or place where the infringement took place. The contact details of the data protection authorities can be found here.

10. Changes, modifications or updates

CARNECT reserves the right to revise this Privacy Policy at any time it deems appropriate, in order to reflect regulatory changes, best practices or to update personal data processing activities. You will be informed of such updates in accordance with regulatory requirements, in the event that your rights are significantly affected as a result of such modification or update.