With the following privacy policy, we aim to inform you about the types of your personal data (hereinafter also referred to as “data”), the purposes for which it is processed, and the extent of such processing. This privacy policy applies to all personal data processing activities we carry out, both as part of providing our services and, in particular, on our websites, mobile applications, and within external online presences such as our social media profiles (hereinafter collectively referred to as “online offering”).

The terms used are gender-neutral.

Effective Date: December 1st, 2024

Overview of Processing

The following overview summarizes the types of data processed, the purposes of the processing, and the categories of affected individuals.

Types of Data Processed:

• Master data
• Payment data
• Contact data
• Content data
• Contract data
• Usage data
• Meta, communication, and procedural data

Categories of Affected Individuals:

• Customers
• Prospective customers
• Users
• Business and contractual partners

Purposes of Processing:

• Provision of contractual services and customer support
• Responding to inquiries and communication
• Security measures
• Office and organizational procedures
• Administration and response to requests
• Feedback collection
• Marketing
• User-related profiling
• Provision and user-friendliness of our online offering
• Information technology infrastructure

Legal Bases

The following provides an overview of the legal bases under the GDPR on which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection regulations in your or our country of residence may apply. If more specific legal bases are relevant in individual cases, we will inform you in this privacy policy.

• Contract performance and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR): Processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject before entering into a contract.
• Legal obligation (Art. 6(1)(1)(c) GDPR): Processing is necessary for compliance with a legal obligation to which the controller is subject.
• Legitimate interests (Art. 6(1)(1)(f) GDPR): Processing is necessary for the purposes of legitimate interests pursued by the controller or a third party unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject that require the protection of personal data.

In addition to the GDPR’s data protection regulations, national regulations apply in Austria, notably the Federal Act on the Protection of Natural Persons regarding the Processing of Personal Data (Data Protection Act – DSG). The DSG includes specific provisions on the right to information, rectification or deletion, processing of special categories of personal data, processing for other purposes, transfers, and automated individual decision-making.

Security Measures

We implement appropriate technical and organizational measures in accordance with legal requirements, taking into account the state of the art, implementation costs, and the nature, scope, circumstances, and purposes of processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, to ensure a level of protection appropriate to the risk.

These measures include ensuring the confidentiality, integrity, and availability of data by controlling both physical and electronic access to the data and access, input, transmission, securing availability, and separation of data. Additionally, we have established procedures to uphold data subject rights, delete data, and respond to data threats. Furthermore, we consider the protection of personal data during the development or selection of hardware, software, and procedures according to the principles of data protection by design and by default.

• TLS Encryption (HTTPS): To protect the data transmitted through our online offering, we use TLS encryption. You can recognize such encrypted connections by the “https://” prefix in your browser’s address bar.

Data Processing in Third Countries

If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or processing occurs as part of using third-party services or disclosing or transferring data to other persons, entities, or companies, it will only be carried out in compliance with legal requirements.

Subject to express consent or required contractual or legal transfers, we process or allow data to be processed only in third countries with a recognized data protection level, contractual obligation through so-called EU Commission standard protection clauses, certifications, or binding internal data protection regulations (Art. 44–49 GDPR). More information is available on the EU Commission’s website: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_en.

Data Deletion

The data we process will be deleted in accordance with legal requirements as soon as the consents permitted for processing are withdrawn or other permissions cease to apply (e.g., if the purpose of processing no longer applies or the data is no longer required for the purpose). If the data is not deleted because it is required for other legally permissible purposes, its processing will be restricted to these purposes. This means the data will be locked and not processed for other purposes. For instance, this applies to data required to be retained for commercial or tax law reasons or data needed to establish, exercise, or defend legal claims or to protect the rights of another natural or legal person.

Our privacy notices may also contain additional information about the retention and deletion of data for specific processing activities.

Use of Cookies

Cookies are small text files or other markers stored on devices to save and retrieve information from the devices. For example, they can store login statuses, shopping cart contents in an online store, accessed content, or used features of an online offering. Cookies can also be used for various purposes, such as ensuring the functionality, security, and convenience of online offerings or analyzing visitor flows.

Consent Notices: We use cookies in accordance with legal requirements. Therefore, we obtain prior consent from users unless legally not required. Consent is not necessary, particularly if storing and retrieving information (including cookies) is essential to provide a telemedia service (our online offering) explicitly requested by users. Revocable consent is clearly communicated to users and contains information on cookie usage.

Legal Basis for Cookies: The legal basis for processing users’ personal data using cookies depends on whether we ask for user consent. If users consent, the legal basis is their declared consent. Otherwise, data processed using cookies is based on our legitimate interests (e.g., for a business operation of our online offering and its usability improvement) or, if required, to fulfill contractual obligations.

Cookie Types and Duration

• Temporary Cookies (Session Cookies): Deleted no later than when a user leaves the online offering and closes their device (e.g., browser or mobile application).
• Permanent Cookies: Remain stored even after closing the device. For example, login statuses or preferred content can be displayed directly when revisiting a website. Unless otherwise specified, cookies should be assumed permanent, with a storage duration of up to two years.

Opt-Out Information: Users can revoke their given consent anytime and object to processing under the GDPR’s provisions (Art. 21 GDPR). Users can object via their browser settings, e.g., by disabling cookie use (although this may limit functionality). Objections to cookies for online marketing purposes can also be made at https://optout.aboutads.info and https://www.youronlinechoices.com.

Cookie Management Tool:

• Complianz: Cookie consent management; Service provider: Locally hosted on our server, no data sharing with third parties.
  • Website: https://complianz.io/
  • Privacy Policy: https://complianz.io/legal/
  • Additional Information: Individual user ID, language, types of consents, and timestamps are stored server-side and in cookies on the user’s device.