Privacy Policy

Controller

The controller for data processing within the meaning of the GDPR is itat e.U. (owner: Erwin Mike Schuster), Exenbergerweg 1/21, 1110 Vienna, Austria. Contact: [email protected] · +43 1 234 27 10. Further company details can be found in the imprint.

Data protection contact

For questions about data protection, please contact the controller named above ([email protected]). Data protection requests are handled internally by a WKO-certified data protection officer. The appointment of a data protection officer pursuant to Art. 37 GDPR is not mandatory for us.

What data we process

When you visit the website: When you visit this website, the web server records technical data in server log files: IP address, page accessed, date and time of access, volume of data transferred, referrer URL and user agent (browser/operating system). This processing serves the technical provision, stability and security of the website. The legal basis is our legitimate interest pursuant to Art. 6(1)(f) GDPR. Log files are generally deleted after no more than 30 days, unless a security-relevant event requires longer storage. No data is passed on for advertising purposes.

When you contact us: If you contact us via Signal, WhatsApp or e-mail, we process the content of your message and the contact details you provide in order to handle your request. The legal basis is Art. 6(1)(b) GDPR (initiation or performance of a contract) or Art. 6(1)(f) GDPR (responding to general enquiries). The data is deleted once the matter has been concluded, provided no statutory retention obligations (e.g. under the Austrian UGB and BAO, generally 7 years) require otherwise.

When you visit the website, no cookies are set, no analytics or tracking tools are used, and no external fonts or icon services are loaded. There is no contact form on this site.

Hosting

This website is operated by a hosting provider that processes the data arising from website visits (in particular server log files) on our behalf. A data processing agreement pursuant to Art. 28 GDPR is in place with the provider, ensuring confidential processing bound by our instructions. The legal basis is Art. 6(1)(f) GDPR.

Content delivery network (Cloudflare)

To deliver this website securely and with good performance, we use the content delivery network (CDN) of Cloudflare (Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA). Cloudflare acts as an upstream proxy and, in doing so, processes technical connection data (in particular the IP address) to deliver the content and to defend against attacks (e.g. DDoS). The legal basis is our legitimate interest in secure and reliable operation pursuant to Art. 6(1)(f) GDPR. A data processing agreement pursuant to Art. 28 GDPR is in place with Cloudflare. As Cloudflare is based in a third country (USA), any transfer takes place on the basis of the EU Standard Contractual Clauses. Details: cloudflare.com/privacypolicy.

Customer management (CRM)

To handle enquiries, contacts and business transactions in an orderly way, we use a CRM system (OpenERP). In it we process the contact details you provide, the content of your communication and information about the respective business transaction. The CRM runs exclusively on our own infrastructure (self-hosted); these data are not passed on to an external CRM provider, and no transfer to a third country takes place. The legal basis is Art. 6(1)(b) GDPR (initiation and performance of a contract) or Art. 6(1)(f) GDPR (legitimate interest in efficient and traceable contact and case management). Retention follows the periods set out above; statutory retention obligations (generally 7 years) remain unaffected where records are relevant under tax or commercial law.

Third parties — if you contact us

Signal (Signal Messenger LLC, USA): message content is end-to-end encrypted; Signal itself has no access to the content. Details: signal.org/legal.

WhatsApp (WhatsApp Ireland Ltd., a Meta Platforms company): message content is end-to-end encrypted; however, metadata (e.g. phone number, time of contact) is processed. Details: whatsapp.com/legal.

Contacting us via these channels is voluntary and happens on your initiative. As Signal and WhatsApp are based in a third country (USA), this may involve a transfer of data to a third country. If you wish to avoid this, please use e-mail or telephone.

Cookies analytics tracking

This website sets no cookies, loads no external fonts or icon services, uses no analytics or tracking tools and embeds no content from social networks or third parties. Cookie consent is therefore not required.

Recipients of the data

Your data is only passed on where this is necessary to handle your request or perform a contract, where a legal obligation exists, or where you have given consent. Processors (e.g. hosting) are contractually bound pursuant to Art. 28 GDPR. Your data is never sold.

Your rights

Under the GDPR you have the right of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20) and the right to object to processing based on legitimate interest (Art. 21). You may withdraw any consent you have given at any time with effect for the future. To exercise your rights, a message to [email protected] is sufficient. We will respond to your request within the statutory period (generally within one month).

Right to lodge a complaint with the supervisory authority

You have the right to lodge a complaint with a data protection supervisory authority. In Austria this is the Austrian Data Protection Authority (Österreichische Datenschutzbehörde), Barichgasse 40–42, 1030 Vienna, [email protected], dsb.gv.at.

No automated decision-making

No automated decision-making, including profiling, within the meaning of Art. 22 GDPR takes place.

Changes to this privacy policy

We will adapt this privacy policy whenever changes in data processing or in the legal situation require it. The current version published on this page applies in each case.