top of page

Privacy Policy

As of November 2021

Data protection information of the Yilu platform

In this data protection notice we inform you about the processing of your personal data in connection with the use of the Yilu platform ("Yilu platform").

1. Responsibility for data protection law

The Yilu platform is operated by Yilu Travel Services GmbH, Gormannstr. 14, 10119 Berlin, Germany (“Yilu”) as the person responsible for the processing of your personal data within the meaning of the data protection regulation of the European Union (“GDPR”) and the Federal Data Protection Act (“BDSG “) Operated. You can find complete information on Yilu in the legal notice. Information on how to contact the Group data protection officer and the responsible supervisory authority can be found at the end of this data protection notice.

With regard to the services mediated on the Yilu platform, the partner is responsible for processing your data within the meaning of the GDPR and the BDSG.

2. Your personal data

When using the Yilu platform, the following personal data are processed:

  • First and Last Name

  • E-mail address

  • Address

  • Phone number

  • Miles & More service card number

  • Payment method

Which of the aforementioned data is collected for the respective booking depends on which of the services of our partners you book.

Your payment data is collected by the payment processing platform of Stripe Inc., Delaware. Yilu does not process the credit card data.

3. Purposes and legal basis of the processing

The data collected by us will be processed by us to fulfill the brokerage contract and the contract for the use of the Yilu platform ("user contract") (Art. 6 Para. 1 S.1 lit. b GDPR - contract fulfillment and pre-contractual measures).

For example, we use your email address to send you booking confirmations or invoices as part of the user contract. We transmit your Miles & More service card number to Miles & More GmbH in order to fulfill our obligations under the user agreement.

In addition, we process your data for the purpose of fraud prevention and to assert legal claims (Art. 6 Para. 1 S. 1 lit.f GDPR - safeguarding legitimate interests - entrepreneurial interest in protecting the company from material and immaterial damage).

4. Recipients of your data

In order to be able to offer you our products and services based on our contractual obligations or in accordance with our legitimate interests, we use service providers such as IT service providers as contract processors in accordance with Art. 28 GDPR. The service providers have been carefully selected and work exclusively according to our instructions. They provide sufficient guarantees to comply with data protection obligations.

We transmit the data required to implement the service contract to our partners. This is a transfer between two responsible bodies (so-called controller-to-controller).

We transmit to Miles & More GmbH the data required for the mileage credit as part of the Miles & More program (Miles & More service card number, number of miles, type of service, location of the service provided, cost of the service).

If personal data is transmitted to third countries, suitable guarantees are provided for your protection and the protection of your data in accordance with the legal requirements (in particular the EU's adequacy decision, application of EU standard contractual clauses; information on EU standard contractual clauses can be found on the websites of the Europäische Union).

In addition, in certain cases we are legally obliged to provide personal data to German and international authorities (Art. 6 Para. 1 S. 1 lit. c GDPR - legal obligation).

The data collected by us will not be transmitted to other third parties.

5. Duration of storage

We process your data as long as it is necessary for the fulfillment of our contractual and legal obligations. When the purpose for which your data was processed no longer applies, it will be deleted unless it is necessary to keep it for the following purposes:

  • Fulfillment of retention periods under commercial and tax law, such as those resulting from the Commercial Code or the Tax Code; these periods are up to 10 years.

  • Preservation of evidence within the framework of the statute of limitations. According to §§ 195 ff. Of the German Civil Code (BGB), these limitation periods can be up to 30 years, whereby the regular limitation period is three years.

In these cases, your data will be blocked so that it can no longer be processed for other purposes.

6. Affected rights

6.1 Your rights

As a data subject, you can exercise the following rights if the respective legal requirements are met:

  • Right to information, Art. 15 GDPR

  • Right to correction, Art. 16 GDPR

  • Right to deletion ("right to be forgotten"), Art. 17 GDPR

  • Right to restriction of processing, Art. 18 GDPR

  • Right to data portability, Art. 20 GDPR

  • Right to object, Art. 21 GDPR

To exercise your right, you can email us at In order to process your application and to be able to identify you, we would like to point out that we will process your personal data in accordance with Art. 6 Para. 1 S. 1 lit. c GDPR.

In addition, you have the right to lodge a complaint with a supervisory authority, Art. 77 GDPR in conjunction with Section 19 BDSG.

6.2 Supervisory authority

The supervisory authority responsible for Yilu is:
Berlin Commissioner for Data Protection and Freedom of Information
Friedrichstraße 219
10969 Berlin
Tel.: 0049-30-13889-0
Fax: 0049-30-2155050

7. Right of objection according to Art. 21 GDPR

You have the right, for reasons that arise from your particular situation, to object at any time to the processing of your personal data, which is based on Art. 6 Para. 1 lit. e or f GDPR.

We will no longer process your personal data unless we can prove compelling legitimate reasons for the processing that outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

If the personal data relating to you are processed in order to operate direct mail, you have the right to object at any time to the processing of the personal data relating to you for the purpose of such advertising.

If you object to processing for direct marketing purposes, the personal data relating to you will no longer be processed for these purposes.

In connection with the use of information society services - regardless of Directive 2002/58 / EC - you have the option of exercising your right of objection by means of automated processes that use technical specifications.

You can object to the processing of your personal data at any time.

8. Handling of data by partners

Our partners provide you with information on how our partners handle your data, in particular on their respective websites.

9. Tracking Tools and Cookies

9.1 Tracking Tools

  • Google Inc. (Google Analytics)

This website uses Google Analytics, a web analysis service from Google Ireland Limited, (Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland). Use includes the "Universal Analytics" operating mode. This makes it possible to assign data, sessions and interactions across multiple devices to a pseudonymous user ID and thus to analyze the activities of a user across devices.

Google Analytics uses so-called "cookies", text files that are stored on your computer and that enable your use of the website to be analyzed. The information generated by the cookie about your use of this website is usually transferred to a Google server in the USA and stored there. If IP anonymization is activated on this website, your IP address will be shortened beforehand by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. The full IP address will only be sent to a Google server in the USA and shortened there in exceptional cases. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports on website activity and to provide the website operator with other services relating to website activity and internet usage. Our legitimate interest in data processing also lies in these purposes. The legal basis for the use of Google Analytics is Section 15 Paragraph 3 TMG or Art. 6 Paragraph 1 lit. Sessions and campaigns are ended after a certain period of time. By default, sessions end after 30 minutes of inactivity and campaigns after six months. The time limit for campaigns can be a maximum of two years. You can find more information on terms of use and data protection at or at

You can prevent cookies from being installed by activating a corresponding setting in your browser software; however, we must inform you that, in this case, it is possible that you will not be able to use all the functions of this website entirely. Furthermore, you can prevent the capture of data by Google relating to your use of the website generated by the cookie (including your IP address), as well as the processing by Google of this data, by downloading and installing the browser add-on. Opt-out cookies prevent the future collection of your data when visiting this website. To prevent the capture of your data across multiple devices by Universal Analytics, you must complete the opt-out process on all systems you use.

  • Hotjar Ltd.

This website uses Hotjar. The provider is Hotjar Ltd., Level 2, St Julians Business Center, 3, Elia Zammit Street, St Julians STJ 1000, Malta, Europe (website:

Hotjar is a tool for analyzing your user behavior on our website. With Hotjar we can, among other things, Record your mouse and scroll movements and clicks. Hotjar can also determine how long you stayed with the mouse pointer on a certain point. From this information, Hotjar creates so-called heat maps, which can be used to determine which website areas are preferred by website visitors.

We can also determine how long you stayed on a page and when you left it. We can also determine at which point you canceled your entries in a contact form (so-called conversion funnels).

In addition, Hotjar can be used to obtain direct feedback from website visitors. This function serves to improve the website operator's web offers.

Hotjar uses cookies. Cookies are small text files that are stored on your computer and saved by your browser. They serve to make our offer more user-friendly, more effective and safer. These cookies can be used in particular to determine whether our website has been visited with a specific device or whether the Hotjar functions have been deactivated for the browser in question. Hotjar cookies remain on your device until you delete them.

You can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases or in general, and activate the automatic deletion of cookies when you close the browser. If cookies are deactivated, the functionality of this website may be restricted.

The use of Hotjar and the storage of Hotjar cookies are based on Art. 6 Para. 1 lit. f GDPR. The website operator has a legitimate interest in analyzing user behavior in order to optimize both its website and its advertising.

Deactivating Hotjar

If you would like to deactivate data collection by Hotjar, click on the following link and follow the instructions there:

Please note that Hotjar must be deactivated separately for each browser or for each end device.

For more information about Hotjar and the data collected, please refer to Hotjar's data protection declaration under the following link:

9.2 Cookies

In order to make our offer as user-friendly as possible, we use so-called cookies and similar technologies. For more information, see: Link to Cookie Policy

10. Data security

We use technical and organizational security measures to protect your data processed by us against accidental or deliberate manipulation, loss, destruction or against access by unauthorized persons. Our security measures are continuously improved in line with technological developments.

11. Update

We regularly review this data protection notice and update it as necessary. We will inform you about significant changes to this data protection notice.

12. Data protection officer

The group data protection officer of Deutsche Lufthansa AG is also the data protection officer of Yilu. If you have any questions about data protection, please contact the Group's data protection officer (e.g. by post: Deutsche Lufthansa AG, Group data protection officer, FRA CJ / D, Lufthansa Aviation Center, Airportring, 60549 Frankfurt or by email:

bottom of page