top of page

Privacy Policy

Preamble

With the following privacy policy, we would like to inform you which types of your personal data (hereinafter also referred to simply as “data”) we process for which purposes and to what extent. This privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and, in particular, on our websites, in mobile applications, as well as within external online presences such as our social media profiles (hereinafter collectively referred to as the “online offering”).

The terms used are not gender-specific.

Status: 11 June 2025

Table of Contents

  • Preamble

  • Controller

  • Overview of Processing Activities

  • Relevant Legal Bases

  • Security Measures

  • Transfer of Personal Data

  • General Information on Data Storage and Deletion

  • Rights of Data Subjects

  • Business Processes and Procedures

  • Provision of the Online Offering and Web Hosting

  • Use of Cookies

  • Contact and Inquiry Management

  • Communication via Messenger

  • Newsletters and Electronic Notifications

  • Promotional Communication via Email, Post, Fax, or Telephone

  • Web Analytics, Monitoring and Optimization

  • Customer Reviews and Rating Procedures

  • Presences on Social Networks (Social Media)

  • Plug-ins and Embedded Functions and Content

  • Changes and Updates

Controller

First name, surname / company
Street, number
Postcode, city, country

Email: firstname.lastname@exampledomain.eu

Overview of Processing Activities

The following overview summarizes the types of data processed and the purposes of their processing and refers to the categories of data subjects.

Types of Data Processed

  • Master data.

  • Payment data.

  • Location data.

  • Contact data.

  • Content data.

  • Contract data.

  • Usage data.

  • Meta, communication and procedural data.

  • Log data.

Categories of Data Subjects

  • Recipients of services and clients.

  • Prospective customers.

  • Communication partners.

  • Users.

  • Business and contractual partners.

Purposes of Processing

  • Provision of contractual services and fulfillment of contractual obligations.

  • Communication.

  • Security measures.

  • Direct marketing.

  • Reach measurement.

  • Office and organizational procedures.

  • Organizational and administrative procedures.

  • Feedback.

  • Marketing.

  • Profiles with user-related information.

  • Provision of our online offering and user-friendliness.

  • Information technology infrastructure.

  • Public relations.

  • Sales promotion.

  • Business processes and commercial procedures.

Relevant Legal Bases

Relevant legal bases under the GDPR

Below is an overview of the legal bases of the GDPR on which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence/registered office. If, in individual cases, more specific legal bases are relevant, we will inform you of them in this privacy policy.

  • Consent (Art. 6(1)(a) GDPR) – The data subject has given consent to the processing of their personal data for one or more specific purposes.

  • Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

  • Legitimate interests (Art. 6(1)(f) GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, provided that the interests or fundamental rights and freedoms of the data subject which require the protection of personal data do not override those interests.

National data protection regulations in Austria

In addition to the GDPR, national data protection provisions apply in Austria. These include, in particular, the Federal Act on the Protection of Natural Persons with regard to the Processing of Personal Data (Data Protection Act – DSG). The Data Protection Act contains specific provisions on the right of access, the right to rectification or deletion, processing of special categories of personal data, processing for other purposes and transfer as well as automated decision-making in individual cases.

Note on the applicability of the GDPR and the Swiss FADP

These privacy notices serve both the information requirements under the Swiss Federal Act on Data Protection (FADP) and under the GDPR. For reasons of broader territorial applicability and comprehensibility, the terms of the GDPR are used. In particular, instead of the terms used in the Swiss FADP (“processing” of “personal data,” “overriding interest,” and “particularly sensitive personal data”), the GDPR terms “processing” of “personal data,” “legitimate interest,” and “special categories of data” are used. However, the legal meaning of the terms remains determined by the Swiss FADP within its scope of application.

Security Measures

In accordance with legal requirements, taking into account the state of the art, implementation costs, and the nature, scope, context and purposes of processing as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

Measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as the access, input, transfer, securing of availability and separation of the data concerned. Furthermore, we have established procedures to ensure the exercise of data subject rights, the deletion of data and responses to data threats. We also take the protection of personal data into account already during the development or selection of hardware, software and procedures, in line with the principle of data protection through technology design and privacy-friendly default settings.

Securing online connections through TLS/SSL encryption technology (HTTPS):
To protect user data transmitted via our online services from unauthorized access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the internet. These technologies encrypt information transmitted between the website or app and the user’s browser (or between two servers), thereby protecting data from unauthorized access. TLS, as the more advanced and secure version of SSL, ensures that all data transmissions meet the highest security standards. When a website is secured by an SSL/TLS certificate, this is indicated by the display of HTTPS in the URL. This serves as an indicator to users that their data is transmitted securely and in encrypted form.

Transfer of Personal Data

In the course of processing personal data, it may happen that such data is transferred to other entities, companies, legally independent organizational units, or persons, or disclosed to them. Recipients of this data may include, for example, service providers tasked with IT duties or providers of services and content integrated into a website. In such cases, we observe the legal requirements and, in particular, conclude appropriate contracts or agreements with the recipients of your data that serve to protect your data.

Data transfers within the organization:
We may transfer personal data to other departments or units within our organization or grant them access to it. Where data is shared for administrative purposes, this is based on our legitimate business and commercial interests or occurs where necessary to fulfill our contractual obligations, or if consent of the data subjects or legal permission exists.

General Information on Data Storage and Deletion

We delete personal data that we process in accordance with legal requirements as soon as the underlying consents are revoked or no further legal basis for processing exists. This applies in cases where the original purpose of processing ceases to apply or the data is no longer required. Exceptions apply if statutory obligations or particular interests require longer retention or archiving of the data.

In particular, data that must be retained for commercial or tax law reasons, or whose storage is necessary for the pursuit of legal claims or the protection of the rights of other natural or legal persons, must be archived accordingly.

Our privacy notices contain additional information on the retention and deletion of data that apply specifically to certain processing operations.

If multiple retention periods or deletion deadlines are specified for a datum, the longest period is always decisive.

If a period does not expressly begin on a specific date and is at least one year, it automatically starts at the end of the calendar year in which the event triggering the period occurred. In the case of ongoing contractual relationships within which data is stored, the triggering event is the effective date of termination or other ending of the legal relationship.

Data that is no longer required for its original purpose but is retained due to legal requirements or other reasons is processed solely for the reasons that justify its retention.

Further notes on processing operations, procedures and services:

Retention and deletion of data (Austria):

  • 10 years – retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, accounting vouchers and invoices as well as all necessary work instructions and other organizational documents (Federal Fiscal Code — BAO §132; Austrian Commercial Code — UGB §§190–212).

  • 6 years – other business documents: received commercial or business letters, copies of sent commercial or business letters and other documents relevant for tax. This includes, for example, hourly wage slips, operating accounting sheets, calculation documents, price labels and payroll documents, insofar as they are not already accounting vouchers and till receipts (BAO §132; UGB §§190–212).

  • 3 years – data required to take account of potential warranty and damages claims or similar contractual claims and rights, and to process related inquiries, based on prior business experience and common industry practice, are stored for the duration of the regular statutory limitation period of three years (§§ 1478, 1480 ABGB).

Rights of Data Subjects

Rights of data subjects under the GDPR

As a data subject, you have various rights under the GDPR, in particular those arising from Articles 15 to 21 GDPR:

  • Right to object: You have the right, on grounds relating to your particular situation, to object at any time to processing of personal data concerning you which is based on Article 6(1)(e) or (f) GDPR; this also applies to profiling based on these provisions. Where personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to processing of such personal data for such marketing; this also applies to profiling insofar as it is related to such direct marketing.

  • Right to withdraw consent: You have the right to withdraw consent at any time.

  • Right of access: You have the right to obtain confirmation as to whether or not data concerning you is being processed and, where that is the case, access to such data and to further information and a copy of the data in accordance with legal requirements.

  • Right to rectification: You have the right, in accordance with legal requirements, to request the completion of data concerning you or the rectification of inaccurate data concerning you.

  • Right to erasure and restriction of processing: You have the right, in accordance with legal requirements, to request that data concerning you be erased without undue delay, or alternatively to request restriction of processing of the data in accordance with legal requirements.

  • Right to data portability: You have the right to receive the data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format, or to request its transmission to another controller, in accordance with legal requirements.

  • Right to lodge a complaint with a supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.

Business Processes and Procedures

Personal data of recipients of services and clients—including customers, clients, or in specific cases mandatees, patients or business partners, as well as other third parties—is processed within the framework of contractual and similar legal relationships and pre-contractual measures such as the initiation of business relationships. This data processing supports and facilitates business processes in areas such as customer management, sales, payments, accounting and project management.

The collected data serves to fulfill contractual obligations and to design operational processes efficiently. This includes handling business transactions, managing customer relationships, optimizing sales strategies, and ensuring internal accounting and financial processes. Additionally, the data supports the protection of the controller’s rights and promotes administrative tasks and the organization of the company.

Personal data may be disclosed to third parties where necessary to fulfill the aforementioned purposes or legal obligations — This text section must be unlocked with a premium license. — premiumtext (repeated placeholders retained).

Types of data processed: master data (e.g., full name, home address, contact details, customer number — This text section must be unlocked with a premium license. — premiumtext); payment data (e.g., bank details, invoices, payment history — premiumtext); contact data (e.g., postal and email addresses or — premiumtext); content data (e.g., textual or visual messages and contributions and the information relating to them, such as authorship details — premiumtext); contract data (e.g., subject matter of contract, term, customer category — premiumtext); usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with — premiumtext); meta, communication and procedural data (e.g., IP addresses, timestamps, identifiers, involved — premiumtext).

Data subjects: recipients of services and clients; prospective customers; communication partners; business and contractual partners.

Purposes of processing: provision of contractual services and fulfillment of contractual obligations; office and organizational procedures; business processes and commercial procedures.

Retention and deletion: deletion in accordance with the information in the section “General Information on Data Storage and Deletion.”

Legal bases: performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

Further notes on processing operations, procedures and services:

Economic analyses and market research:
For business purposes and to identify market trends, the wishes of contractual partners and users, the available data on business transactions, contracts, inquiries, etc. is analyzed. The group of data subjects may include contractual partners, prospective customers, customers, visitors and users of the controller’s online offering. The analyses serve business evaluations, marketing and market research (e.g., to determine customer groups with different characteristics). Where available, profiles of registered users, including their details on the services used, are taken into account. Analyses are for the controller only and are not disclosed externally unless they are anonymous analyses with aggregated, i.e., anonymized, values. Privacy is respected; data is pseudonymized for analysis purposes and, where feasible, anonymized (e.g., as aggregated data); legal basis: legitimate interests (Art. 6(1)(f) GDPR).

Provision of the Online Offering and Web Hosting

We process users’ data to provide our online services. For this purpose, we process the user’s IP address, which is necessary to transmit the content and functions of our online services to the user’s browser or device.

Types of data processed: usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); meta, communication and procedural data (e.g., IP addresses, timestamps, identifiers, involved persons); log data (e.g., log files regarding logins or data retrieval or access times); content data (e.g., textual or visual messages and contributions and the related information, such as authorship details or time of creation).

Data subjects: users (e.g., website visitors, users of online services).

Purposes of processing: provision of our online offering and user-friendliness; information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)); security measures.

Retention and deletion: deletion in accordance with the section “General Information on Data Storage and Deletion.”

Legal basis: legitimate interests (Art. 6(1)(f) GDPR).

Further notes on processing operations, procedures and services:

Collection of access data and log files:
Access to our online offering is logged in the form of so-called “server log files.” Server log files may include the addresses and names of the accessed web pages and files, date and time of access, transferred data volumes, reports on successful retrieval, browser type and version, the user’s operating system, referrer URL (the previously visited page) and, as a rule, IP addresses and the requesting provider. Server log files may be used for security purposes (e.g., to avoid server overload, particularly in the event of abusive attacks, so-called DDoS attacks) and also to ensure server load and stability; legal basis: legitimate interests (Art. 6(1)(f) GDPR). Deletion of data: log file information is stored for a maximum of 30 days and then deleted or anonymized. Data whose further retention is required for evidentiary purposes is excluded from deletion until the respective incident is finally clarified.

Wix: hosting and software for the creation, provision and operation of websites, blogs and other online offerings; provider: Wix.com Ltd., Nemal St. 40, 6350671 Tel Aviv, Israel; legal basis: legitimate interests (Art. 6(1)(f) GDPR); website: https://de.wix.com/; privacy policy: https://de.wix.com/about/privacy; data processing agreement: https://www.wix.com/about/privacy-dpa-users. Basis for third-country transfers: Data Privacy Framework (DPF).

Use of Cookies

“Cookies” refers to functions that store information on users’ end devices and read it from them. Cookies can also be used for different purposes, e.g., to ensure the functionality, security and convenience of online offerings as well as to create analyses of visitor flows. We use cookies in accordance with legal provisions. Where required, we obtain users’ prior consent. If consent is not necessary, we rely on our legitimate interests when storing and reading information that is essential to provide expressly requested content and functions (e.g., storing settings and ensuring the functionality and security of our online offering). Consent can be withdrawn at any time. We clearly inform about the scope and which cookies are used.

Notes on legal bases: Whether we process personal data with the help of cookies depends on consent. If consent is given, it is the legal basis. Without consent, we rely on our legitimate interests as explained in this section and in the context of the respective services and procedures.

Storage duration:

  • Temporary (session) cookies: deleted at the latest after a user leaves the online offering and closes their device (e.g., browser or app).

  • Permanent cookies: remain stored after closing the device. For example, the login status can be saved and preferred content displayed directly on the next visit. Cookies may also be used for reach measurement. If we do not provide explicit details on the type and storage duration, users should assume permanence and a duration of up to two years.

General notes on withdrawal and objection (opt-out):
Users can withdraw consents at any time and also object to processing in accordance with legal requirements, including via their browser’s privacy settings.

Types of data processed: meta, communication and procedural data (e.g., IP addresses, timestamps, identifiers, involved persons).

Data subjects: users (e.g., website visitors, users of online services).

Legal bases: legitimate interests (Art. 6(1)(f) GDPR); consent (Art. 6(1)(a) GDPR).

Further notes on processing operations, procedures and services:

Processing of cookie data based on consent:
We use a consent-management solution by which users’ consent to the use of cookies or to the procedures and providers listed within the consent-management solution is obtained, logged, managed and can be withdrawn. The consent statements are stored to avoid repeat prompts and to provide proof of consent as required by law. Storage takes place server-side and/or in a cookie (opt-in cookie) or using comparable technologies to assign the consent to a specific user or device. Unless specific details of consent-management providers are given, the following applies: the storage duration of consent is up to two years. A pseudonymous user identifier is created and stored together with the time of consent, the scope of consent (e.g., categories of cookies and/or service providers) as well as information about the browser, system and device used; legal basis: consent (Art. 6(1)(a) GDPR).

Contact and Inquiry Management

When contacting us (e.g., by post, contact form, email, telephone or via social media) and within existing user and business relationships, we process the details of the inquiring persons as far as this is necessary to respond to contact requests and any requested measures.

Types of data processed: master data (e.g., full name, home address, contact information, customer number, etc.); contact data (e.g., postal and email addresses or phone numbers); content data (e.g., textual or visual messages and contributions and related information, such as authorship details or time of creation); usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); meta, communication and procedural data (e.g., IP addresses, timestamps, identifiers, involved persons).

Data subjects: communication partners.

Purposes of processing: communication; organizational and administrative procedures; feedback (e.g., collecting feedback via online form); provision of our online offering and user-friendliness.

Retention and deletion: deletion in accordance with “General Information on Data Storage and Deletion.”

Legal bases: legitimate interests (Art. 6(1)(f) GDPR); performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR).

Further notes:

Contact form:
When contacting us via our contact form, email or other communication channels, we process the personal data transmitted to us to answer and handle the respective request. This usually includes details such as name, contact information and any further information necessary for appropriate handling. We use this data solely for the stated purpose of contact and communication; legal bases: performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR), legitimate interests (Art. 6(1)(f) GDPR).

Communication via Messenger

We use messengers for communication and therefore ask you to note the following information regarding the functionality of messengers, encryption, the use of communication metadata and your options to object.

You can also contact us via alternative means, e.g., telephone or email. Please use the contact options provided to you or those listed in our online offering.

In the case of end-to-end encryption of content (i.e., the content of your message and attachments), please note that the communication content (message content and attached images) is encrypted end-to-end. This means the content of messages cannot be viewed, not even by the messenger providers themselves. You should always use an up-to-date version of the messenger with encryption enabled to ensure message content is secured.

We also inform our communication partners that, while providers cannot see message content, they may learn that and when communication partners communicate with us and may process technical information about the communication partners’ device and, depending on device settings, also location information (so-called metadata).

Legal bases: Where we ask communication partners for permission before communicating via messenger, the legal basis is their consent. Otherwise, if we do not request consent and they contact us on their own initiative, we use messengers in relation to our contractual partners and in the context of contract initiation as a contractual measure and, for other interested parties and communication partners, on the basis of our legitimate interests in fast and efficient communication and in fulfilling our communication partners’ needs. Furthermore, we do not transmit contact data to messengers for the first time without your consent.

Withdrawal, objection and deletion: You can withdraw consent at any time.

Types of data processed: contact data (e.g., postal and email addresses — premium text placeholder retained); content data (e.g., textual or visual messages and contributions and related information, such as authorship details — premium text placeholder retained).

Data subjects: communication partners.

Purposes of processing: communication.

Retention and deletion: deletion per “General Information on Data Storage and Deletion.”

Legal bases: consent (Art. 6(1)(a) GDPR); performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

Newsletters and Electronic Notifications

We send newsletters, emails and other electronic notifications (“newsletters”) only with recipients’ consent or on the basis of a legal permission. Where the contents of the newsletter are specified during registration, they are decisive for users’ consent. Usually, your email address is sufficient for newsletter registration. To provide a personalized service, we may ask for your name for a personal salutation in the newsletter or for further information if necessary for the newsletter’s purpose.

Deletion and restriction of processing: We may store unsubscribed email addresses for up to three years on the basis of our legitimate interests before deleting them to be able to prove previously given consent. Processing of this data is limited to the purpose of potential defense against claims. An individual deletion request is possible at any time if, at the same time, the former existence of consent is confirmed. In the case of obligations to permanently observe objections, we reserve the right to store the email address solely for this purpose in a block list.

bottom of page