With the following privacy policy, we would like to inform you about what types of your personal data (hereinafter also referred to as “data”) we process, for what purposes and to what extent. The privacy policy applies to all processing of personal data carried out by us, both in the context of the provision of our services and in particular on our websites, in mobile applications and within external online presences, such as our social media profiles (hereinafter collectively referred to as “online offer”).
*/imprint/|See imprint*
The following overview summarizes the types of data processed and the purposes of their processing and refers to the data subjects.
Relevant legal bases according to the GDPR: Below you will find an overview of the legal bases of the GDPR on the basis of which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or domicile. Should more specific legal bases also apply in individual cases, we will inform you of these in the privacy policy.
National data protection regulations in Austria: In addition to the data protection regulations of the GDPR, national data protection regulations apply in Austria. These include, in particular, the Federal Act on the Protection of Natural Persons with regard to the Processing of Personal Data (Data Protection Act - DSG). In particular, the Data Protection Act contains special regulations on the right to information, the right to rectification or erasure, the processing of special categories of personal data, processing for other purposes and transfer as well as automated decision-making in individual cases.
We take appropriate technical and organizational measures in accordance with the legal requirements, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the processing as well as the different probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons, in order to ensure a level of protection appropriate to the risk.
The measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as access, input, disclosure, safeguarding availability and separation of the data. Furthermore, we have established procedures that ensure the exercise of data subject rights, the deletion of data and responses to data threats. Furthermore, we already take the protection of personal data into account when developing or selecting hardware, software and processes in accordance with the principle of data protection, through technology design and through data protection-friendly default settings.
Securing online connections using TLS/SSL encryption technology (HTTPS): To protect user data transmitted via our online services from unauthorized access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the Internet. These technologies encrypt the information transmitted between the website or app and the user's browser (or between two servers), protecting the data from unauthorized access. TLS, as the more advanced and secure version of SSL, ensures that all data transmissions meet the highest security standards. If a website is secured by an SSL/TLS certificate, this is signaled by the display of HTTPS in the URL. This serves as an indicator to users that their data is being transmitted securely and encrypted.
As part of our processing of personal data, it may be transmitted to other bodies, companies, legally independent organizational units or persons or disclosed to them. The recipients of this data may include, for example, service providers commissioned with IT tasks or providers of services and content that are integrated into a website. In such cases, we observe the legal requirements and, in particular, conclude corresponding contracts or agreements with the recipients of your data that serve to protect your data.
Data transfer within the organization: Data transfer within the group of companies: We may transfer personal data to other companies within our group of companies or grant them access to it. If the data transfer is for administrative purposes, it is based on our legitimate business and economic interests or takes place if it is necessary to fulfill our contractual obligations or if the consent of the data subjects or a legal permission exists.
Data processing in third countries: If we process data in a third country (i.e. outside the European Union (EU), the European Economic Area (EEA)) or the processing takes place in the context of the use of third-party services or the disclosure or transfer of data to other persons, bodies or companies, this will only take place in accordance with the legal requirements. If the level of data protection in the third country has been recognized by means of an adequacy decision (Art. 45 GDPR), this serves as the basis for the data transfer. Otherwise, data will only be transferred if the level of data protection is otherwise ensured, in particular through standard contractual clauses (Art. 46 para. 2 lit. c) GDPR), express consent or in the case of contractual or legally required transfer (Art. 49 para. 1 GDPR). In addition, we will inform you of the basis for third country transfers with the individual providers from the third country, whereby the adequacy decisions take precedence. Information on third country transfers and existing adequacy decisions can be found in the information provided by the EU Commission: *https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en|https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en.*
EU-US Trans-Atlantic Data Privacy Framework: As part of the so-called “Data Privacy Framework” (DPF), the EU Commission has also recognized the level of data protection as secure for certain companies from the USA as part of the adequacy decision of 10.07.2023. The list of certified companies and further information on the DPF can be found on the website of the US Department of Commerce at *https://www.dataprivacyframework.gov/|https://www.dataprivacyframework.gov/*. As part of the data protection information, we will inform you which service providers we use are certified under the Data Privacy Framework.
We delete personal data that we process in accordance with the statutory provisions as soon as the underlying consents are revoked or there is no further legal basis for the processing. This applies to cases in which the original purpose of processing no longer applies or the data is no longer required. There are exceptions to this rule if legal obligations or special interests require longer storage or archiving of the data.
In particular, data that must be stored for commercial or tax law reasons or whose storage is necessary for legal prosecution or to protect the rights of other natural or legal persons must be archived accordingly.
Our data protection information contains additional information on the retention and deletion of data that applies specifically to certain processing operations.
If there is more than one indication of the retention period or deletion period for a date, the longest period shall always apply.
If a period does not expressly begin on a specific date and is at least one year, it automatically starts at the end of the calendar year in which the event triggering the period occurred. In the case of ongoing contractual relationships in the context of which data is stored, the event triggering the deadline is the date on which the termination or other termination of the legal relationship takes effect.
We only process data that is no longer stored for the originally intended purpose, but due to legal requirements or other reasons, for the reasons that justify its storage.
Rights of data subjects under the GDPR: As a data subject, you are entitled to various rights under the GDPR, which arise in particular from Art. 15 to 21 GDPR:
We process data of our contractual and business partners, e.g. customers and interested parties (collectively referred to as “contractual partners”), in the context of contractual and comparable legal relationships and related measures and with regard to communication with the contractual partners (or pre-contractual), for example to respond to inquiries.
We use this data to fulfill our contractual obligations. These include, in particular, the obligations to provide the agreed services, any updating obligations and remedies in the event of warranty and other service disruptions. In addition, we use the data to safeguard our rights and for the purpose of the administrative tasks associated with these obligations and the company organization. We also process the data on the basis of our legitimate interests both in the proper and efficient management of our business and in security measures to protect our contractual partners and our business operations from misuse, threats to their data, secrets, information and rights (e.g. to involve telecommunications, transport and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers or tax authorities). Within the framework of applicable law, we only pass on the data of contractual partners to third parties to the extent that this is necessary for the aforementioned purposes or to fulfill legal obligations. Contractual partners will be informed about other forms of processing, such as for marketing purposes, as part of this privacy policy.
We inform the contractual partners which data is required for the aforementioned purposes before or during data collection, e.g. in online forms, by means of special marking (e.g. colors) or symbols (e.g. asterisks or similar), or personally.
We delete the data after the expiry of statutory warranty and comparable obligations, i.e. generally after four years, unless the data is stored in a customer account, e.g. as long as it must be retained for legal archiving reasons (e.g. for tax purposes, generally ten years). We delete data disclosed to us by the contractual partner as part of an order in accordance with the specifications and generally after the end of the order.
Personal data of service recipients and clients - including customers, clients or, in special cases, clients, patients or business partners as well as other third parties - are processed within the scope of contractual and comparable legal relationships and pre-contractual measures such as the initiation of business relationships. This data processing supports and facilitates business processes in areas such as customer management, sales, payment transactions, accounting and project management.
The data collected is used to fulfill contractual obligations and efficiently design operational processes. This includes the processing of business transactions, the management of customer relationships, the optimization of sales strategies and the guarantee of internal accounting and financial processes. In addition, the data supports the protection of the rights of the controller and promotes administrative tasks and the organization of the company.
Personal data may be passed on to third parties if this is necessary to fulfill the stated purposes or legal obligations.
Economic analyses and market research: The available data on business transactions, contracts, inquiries, etc. are analyzed for business purposes and to identify market trends, the wishes of contractual partners and users. The group of data subjects may include contractual partners, interested parties, customers, visitors and users of the controller's online offering. The analyses are carried out for the purposes of business evaluations, marketing and market research (e.g. to determine customer groups with different characteristics). If available, profiles of registered users and their details of services used are taken into account. The analyses are used exclusively by the controller and are not disclosed externally, unless they are anonymous analyses with summarized, i.e. anonymized values. In addition, the privacy of the users is taken into account; the data is pseudonymized as far as possible for analysis purposes and, if feasible, processed anonymously (e.g. as aggregated data); legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
We process users' data in order to provide them with our online services. For this purpose, we process the user's IP address, which is necessary to transmit the content and functions of our online services to the user's browser or end device.
Hetzner: Services in the field of the provision of information technology infrastructure and related services (e.g. storage space and/or computing capacity); service provider: Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: *https://www.hetzner.com|https://www.hetzner.com*; Privacy Policy: *https://www.hetzner.com/legal/privacy-policy/|https://www.hetzner.com/legal/privacy-policy/*. Order processing contract: *https://docs.hetzner.com/de/general/general-terms-and-conditions/data-privacy-faq/|https://docs.hetzner.com/de/general/general-terms-and-conditions/data-privacy-faq/*.
Information on legal bases under data protection law: The legal basis under data protection law on which we process users' personal data using cookies depends on whether we ask for their consent. If users accept, the legal basis for processing their data is their declared consent. Otherwise, the data processed using cookies will be processed on the basis of our legitimate interests (e.g. in the commercial operation of our online offering and the improvement of its usability) or, if this is done in the context of the fulfillment of our contractual obligations, if the use of cookies is necessary to fulfill our contractual obligations. We explain the purposes for which we use cookies in the course of this privacy policy or as part of our consent and processing procedures.
Users can revoke the consent they have given at any time and also object to processing in accordance with the legal requirements, also by means of the privacy settings of their browser.
*/opt-out/|cookie settings/opt-out*
BorlabsCookie: Consent management: Process for obtaining, logging, managing and revoking consent, in particular for the use of cookies and similar technologies for storing, reading and processing information on users' end devices and their processing; Service provider: Execution on servers and/or computers under its own responsibility under data protection law; Website: https://de.borlabs.io/borlabs-cookie/. Further information: An individual user ID, language and types of consent and the time of their submission are stored on the server and in the cookie on the user's device.
When contacting us (e.g. by post, contact form, email, telephone or via social media) and in the context of existing user and business relationships, the data of the inquiring persons are processed insofar as this is necessary to answer the contact inquiries and any requested measures.
We process personal data for the purposes of advertising communication, which may take place via various channels, such as email, telephone, post or fax, in accordance with legal requirements.
Recipients have the right to withdraw their consent at any time or to object to advertising communication at any time.
After revocation or objection, we store the data required to prove the previous authorization for contacting or sending for up to three years after the end of the year of revocation or objection on the basis of our legitimate interests. The processing of this data is limited to the purpose of a possible defense against claims. On the basis of the legitimate interest in permanently observing the revocation or objection of the user, we also store the data required to avoid renewed contact (e.g. depending on the communication channel, the e-mail address, telephone number, name).
Web analysis (also referred to as “reach measurement”) is used to evaluate the flow of visitors to our online offering and may include behavior, interests or demographic information about visitors, such as age or gender, as pseudonymous values. With the help of reach analysis, we can, for example, recognize at what time our online offer or its functions or content are most frequently used or invite visitors to reuse them. It also enables us to understand which areas require optimization.
In addition to web analysis, we may also use test procedures, for example to test and optimize different versions of our online offering or its components.
Unless otherwise stated below, profiles, i.e. data summarized for a usage process, may be created for these purposes and information may be stored in a browser or end device and then read out. The information collected includes, in particular, websites visited and the elements used there as well as technical information such as the browser used, the computer system used and information on usage times. If users have consented to the collection of their location data from us or from the providers of the services we use, location data may also be processed.
In addition, the IP addresses of users are stored. However, we use an IP masking procedure (i.e. pseudonymization by shortening the IP address) to protect users. In general, no clear user data (such as e-mail addresses or names) is stored in the context of web analysis, A/B testing and optimization, but pseudonyms. This means that neither we nor the providers of the software used know the actual identity of the users, but only the information stored in their profiles for the purpose of the respective procedures.
Notes on legal bases: If we ask users for their consent to the use of third-party providers, the legal basis for data processing is consent. Otherwise, user data is processed on the basis of our legitimate interests (i.e. interest in efficient, economical and recipient-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.
Google Analytics: We use Google Analytics to measure and analyze the use of our online offering on the basis of a pseudonymous user identification number. This identification number does not contain any unique data, such as names or e-mail addresses. It is used to assign analysis information to an end device in order to recognize which content users have called up within one or more usage processes, which search terms they have used, which they have called up again or which they have interacted with our online offering. The time of use and its duration are also stored, as well as the sources of the users that refer to our online offering and technical aspects of their end devices and browsers.
Pseudonymous profiles of users are created with information from the use of various devices, whereby cookies can be used. Google Analytics does not log or store individual IP addresses for EU users. However, Analytics provides rough geographic location data by deriving the following metadata from IP addresses: City (and the city's inferred latitude and longitude), Continent, Country, Region, Subcontinent (and ID-based counterparts). For EU traffic, IP address data is used exclusively for this derivation of geolocation data before it is immediately deleted. They are not logged, are not accessible and are not used for other purposes. When Google Analytics collects measurement data, all IP queries are performed on EU-based servers before the traffic is forwarded to Analytics servers for processing; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR);
Website: https://marketingplatform.google.com/intl/de/about/analytics/; Security measures: IP masking (pseudonymization of the IP address); Privacy Policy: https://policies.google.com/privacy; Data processing agreement: https://business.safety.google/adsprocessorterms/; Basis for third country transfers: Data Privacy Framework (DPF); Opt-Out: Opt-out plug-in: https://tools.google.com/dlpage/gaoptout?hl=de; Settings for the display of advertisements: https://myadcenter.google.com/personalizationoff. Further information: https://business.safety.google/adsservices/ (types of processing and processed data).
Google Tag Manager: We use Google Tag Manager, a software from Google that enables us to manage so-called website tags centrally via a user interface. Tags are small code elements on our website that are used to record and analyze visitor activity. This technology helps us to improve our website and the content offered on it. Google Tag Manager itself does not create any user profiles, does not store any cookies with user profiles and does not carry out any independent analyses. Its function is limited to simplifying the integration and management of tools and services that we use on our website and making them more efficient. Nevertheless, when using the Google Tag Manager, the IP address of the user is transmitted to Google, which is necessary for technical reasons in order to implement the services we use. Cookies may also be set in the process. However, this data processing only takes place if services are integrated via the Tag Manager. For more detailed information on these services and their data processing, please refer to the further sections of this privacy policy; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: *https://marketingplatform.google.com|https://marketingplatform.google.com*; Privacy Policy:
*https://business.safety.google/adsprocessorterms|https://business.safety.google/adsprocessorterms*.
Google reCAPTCHA 3
reCAPTCHA collects personal data from users in order to determine whether the actions on our website actually originate from people. The IP address and other data that Google requires for the reCAPTCHA service can therefore be sent to Google. IP addresses are almost always truncated within the member states of the EU or other signatory states to the Agreement on the European Economic Area before the data is sent to a server in the USA. The IP address is not combined with other Google data unless you are logged in with your Google account while using reCAPTCHA. First, the reCAPTCHA algorithm checks whether Google cookies from other Google services (YouTube, Gmail, etc.) have already been placed on your browser. Then reCAPTCHA places an additional cookie in your browser and takes a snapshot of your browser window.
Google Ads and conversion measurement: online marketing process for the purpose of placing content and ads within the service provider's advertising network (e.g. in search results, in videos, on websites, etc.) so that they are displayed to users who have a presumed interest in the ads. In addition, we measure the conversion of the ads, i.e. whether users have taken them as an opportunity to interact with the ads and use the advertised offers (so-called conversions). However, we only receive anonymous information and no personal information about individual users; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Basis for third country transfers: Data Privacy Framework (DPF); Further information: Types of processing and data processed: *https://business.safety.google/adsservices/|https://business.safety.google/adscontrollerterms*. Data processing conditions between controllers and standard contractual clauses for third country transfers of data: *https://business.safety.google/adscontrollerterms|https://business.safety.google/adscontrollerterms*.
Grundlage Drittlandtransfers: *https://www.dataprivacyframework.gov/|Data Privacy Framework (DPF)*.
We process personal data for the purpose of online marketing, which may include in particular the marketing of advertising space or the presentation of advertising and other content (collectively referred to as “content”) based on the potential interests of users and the measurement of its effectiveness.
For these purposes, so-called user profiles are created and stored in a file (the so-called “cookie”) or similar procedures are used, by means of which the user data relevant for the presentation of the aforementioned content is stored. This may include, for example, content viewed, websites visited, online networks used, but also communication partners and technical information, such as the browser used, the computer system used and information on usage times and functions used. If users have consented to the collection of their location data, this can also be processed.
The IP addresses of users are also stored. However, we use available IP masking procedures (i.e. pseudonymization by shortening the IP address) for user protection. In general, no clear user data (such as e-mail addresses or names) is stored as part of the online marketing process, but pseudonyms. This means that neither we nor the providers of the online marketing procedures know the actual identity of the users, but only the information stored in their profiles.
The statements in the profiles are generally stored in cookies or by means of similar procedures. These cookies can generally also be read later on other websites that use the same online marketing process and analyzed for the purpose of displaying content and supplemented with further data and stored on the server of the online marketing process provider.
In exceptional cases, it is possible to assign clear data to the profiles, primarily if the users are, for example, members of a social network whose online marketing processes we use and the network links the user profiles with the aforementioned data. Please note that users can make additional agreements with the providers, for example by giving their consent during registration.
In principle, we only receive access to summarized information about the success of our advertisements. However, as part of so-called conversion measurements, we can check which of our online marketing processes have led to a so-called conversion, i.e. to the conclusion of a contract with us, for example. The conversion measurement is used solely to analyze the success of our marketing measures.
Unless otherwise stated, we ask you to assume that the cookies used are stored for a period of two years.
Notes on legal bases: If we ask users for their consent to the use of third-party providers, the legal basis for data processing is permission. Otherwise, user data is processed on the basis of our legitimate interests (i.e. interest in efficient, economical and recipient-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.
We ask you to inform yourself regularly about the content of our privacy policy. We will adapt the privacy policy as soon as changes to the data processing carried out by us make this necessary. We will inform you as soon as the changes require your cooperation (e.g. consent) or other individual notification.
If we provide addresses and contact information of companies and organizations in this privacy policy, please note that the addresses may change over time and please check the information before contacting us.