PRIVACY POLICY

This Privacy Policy applies to the processing of personal data in accordance with:

• EU General Data Protection Regulation (GDPR)
• Austrian Data Protection Act (Datenschutzgesetz - DSG)
• Austrian Telecommunications Act (Telekommunikationsgesetz - TKG)

By using our website and services, you acknowledge that you have read and understood this Privacy Policy.

3.1. Data You Provide Directly

Contact Form Submissions (Art. 6(1)(b) GDPR)

When you submit an inquiry via our contact form, we collect:

• First name and last name
• Email address
• Phone number
• Message content (optional)

Purpose: Processing your inquiry, preparing quotes or commercial offers, establishing pre-contractual or contractual relationships.

Legal Basis: Article 6(1)(b) GDPR (performance of a contract or pre-contractual measures at your request).

Order and Account Information (Art. 6(1)(b) GDPR)

If you place an order, we additionally collect:

• Billing and shipping address
• Payment information (processed securely by third-party payment providers)
• Order details (products, quantities, prices)

Purpose: Order processing, fulfillment, invoicing, customer service.

Legal Basis: Article 6(1)(b) GDPR (performance of contract).

Appointment Booking via Calendly (Art. 6(1)(b) GDPR)

When you book an appointment via our online booking tool, we collect:

• First name and last name
• Email address
• Appointment date and time
• Any additional information you provide in the booking form

For card payments, your payment card details are processed by our external payment service provider Select 2 Pay. Your card data is transmitted directly to Select 2 Pay and is not stored on our servers.

3.2. Data Collected Automatically

Technical and Usage Data (Art. 6(1)(f) GDPR)

When you visit our website, we automatically collect:

• IP address (anonymized after 7 days)
• Browser type and version
• Operating system
• Referring website (referrer URL)
• Date and time of access
• Pages viewed and files downloaded

Purpose: Ensuring website functionality, security, detecting and preventing fraud, improving user experience.

Legal Basis: Article 6(1)(f) GDPR (legitimate interests in maintaining secure and functional website operations).

3.3. Cookies and Tracking Technologies

We use cookies and similar technologies. Details are provided in Section 9 below.

3.4. Data We Do NOT Collect

We do not collect or process special categories of personal data (Article 9 GDPR), such as:

• Health data
• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic or biometric data
• Data concerning sex life or sexual orientation

We process your personal data for the following purposes and on the following legal bases:

• Contact form processing (responding to inquiries and taking pre-contractual steps): Art. 6(1)(b) GDPR.
• Order processing and fulfilment (including payment and delivery): Art. 6(1)(b) GDPR.
• Website functionality and security (e.g., preventing abuse, ensuring stable operation): Art. 6(1)(f) GDPR.
• Analytics and website improvement (non-essential cookies): Art. 6(1)(a) GDPR (consent via cookie banner).
• Legal compliance (e.g., accounting, tax retention duties): Art. 6(1)(c) GDPR.
• Marketing communications (only if you opt in): Art. 6(1)(a) GDPR (consent).

We retain your personal data only as long as necessary for the purposes stated and to comply with legal obligations:

• Contact form inquiries: Until the inquiry is resolved plus 3 years (statute of limitations under Austrian civil law)
• Order and invoicing data: 7 years (Austrian tax and accounting law – BAO §132)
• IP addresses and server logs: 7 days (anonymized thereafter for security purposes)
• Marketing consent: Until consent is withdrawn
• Cookies: As specified in cookie settings (session cookies deleted upon browser closure; analytics cookies up to 14 months)

After the retention period expires, personal data is securely deleted or anonymized.

6.1. Data Processors (Art. 28 GDPR)

We share your personal data with trusted third-party service providers who process data on our behalf under strict data processing agreements:

• Hosting and IT services: EU-based hosting providers (e.g., AWS Europe, Hetzner)
• Payment processors: PayPal, Stripe (data processing agreements in place)
• Shipping and logistics: DHL, Austrian Post (only for order fulfillment)
• Email services: EU-based email providers for transactional emails

All processors are contractually obligated to comply with GDPR and process data only as instructed by us.

Payment processors: Select 2 Pay, PayPal, Stripe (data processing agreements in place)

Scheduling services: Calendly LLC (appointment booking and calendar management)

6.2. Legal Obligations

We may disclose your personal data to:

• law enforcement or regulatory authorities when required by law or court order
• Tax authorities (for invoicing and accounting compliance)

6.3. No Sale or Marketing Sharing

We do not sell, rent, or share your personal data with third parties for their direct marketing purposes.

6.4. International Data Transfers

All data processing occurs within the European Economic Area (EEA). If any data transfer outside the EEA becomes necessary, we will:

• Use Standard Contractual Clauses (SCCs) approved by the European Commission
• Ensure adequate data protection safeguards under GDPR Chapter V
• Inform you and obtain consent where required

You have the following rights regarding your personal data:

7.1. Right of Access (Art. 15 GDPR)

You have the right to obtain confirmation as to whether we process your personal data and to receive a copy of such data.

7.2. Right to Rectification (Art. 16 GDPR)

You may request correction of inaccurate or incomplete personal data.

7.3. Right to Erasure ("Right to be Forgotten") (Art. 17 GDPR)

You may request deletion of your personal data when:

• Data is no longer necessary for the purposes collected
• You withdraw consent (where processing is based on consent)
• You object to processing based on legitimate interests
• Data was unlawfully processed
• Legal obligation requires deletion

Exception: We may retain data if required by law (e.g., tax/accounting obligations).

7.4. Right to Restriction of Processing (Art. 18 GDPR)

You may request restriction (blocking) of processing in certain circumstances.

7.5. Right to Data Portability (Art. 20 GDPR)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.

7.6. Right to Object (Art. 21 GDPR)

You may object to processing based on legitimate interests (Art. 6(1)(f)) at any time. We will cease processing unless we demonstrate compelling legitimate grounds.

7.7. Right to Withdraw Consent (Art. 7(3) GDPR)

Where processing is based on consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

7.8. Right to Lodge a Complaint

You have the right to lodge a complaint with the Austrian Data Protection Authority (Datenschutzbehorde):

Austrian Data Protection Authority (DSB)

Barichgasse 40-42

1030 Wien, Austria

Phone: +43 1 52 152-0

Email: [email protected]

Website: https://www.dsb.gv.at

7.9. How to Exercise Your Rights

To exercise any of the above rights, please contact us at:

Email: [email protected]

Phone: +43 681 818 22732

We will respond to your request within one month of receipt. In complex cases, we may extend this period by two additional months and will inform you accordingly.

9.1. What Are Cookies?

Cookies are small text files stored on your device when you visit our website. They enable us to recognize your browser and improve your user experience.

9.2. Types of Cookies We Use

Essential Cookies are necessary for the website to function properly (e.g., security, session management). These are session cookies that expire when you close your browser.

Analytics Cookies help us understand how visitors use our site. We use Google Analytics with IP anonymization. These cookies are stored for up to 14 months.

Marketing Cookies (optional) may be used for advertising purposes. These are only set with your explicit consent and their duration varies by provider.

9.3. Legal Basis

Essential cookies: Art. 6(1)(f) GDPR (legitimate interests in website functionality)

Analytics and marketing cookies: Art. 6(1)(a) GDPR (consent via cookie banner)

9.4. Google Analytics

We use Google Analytics with IP anonymization enabled. Google Analytics is a web analytics service provided by Google LLC. Data is processed in accordance with Google's data processing agreement.

You may opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on: https://tools.google.com/dlpage/gaoptout

9.5. Managing Cookies

You can control and delete cookies through your browser settings:

• Chrome: Settings > Privacy and security > Cookies
• Firefox: Options > Privacy & Security > Cookies
• Safari: Preferences > Privacy > Manage Website Data
• Edge: Settings > Cookies and site permissions

You may also adjust your cookie preferences via our cookie consent banner when first visiting the website.

Note: Disabling essential cookies may impair website functionality.

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, alteration, or disclosure:

• Encryption: SSL/TLS encryption for data transmission (HTTPS)
• Access controls: Restricted access to personal data on a need-to-know basis
• Secure servers: EU-based data centers with ISO 27001 certification
• Regular security audits: Penetration testing and vulnerability assessments
• Employee training: Data protection training for all staff
• Incident response plan: Procedures for data breach notification

10.1. Data Breach Notification

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will:

• Notify the Austrian Data Protection Authority within 72 hours (Art. 33 GDPR)
• Inform affected individuals without undue delay if high risk exists (Art. 34 GDPR)

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or business operations.

• Material changes will be posted on this page with an updated "Last Updated" date
• We may notify you by email or website notice if changes significantly affect your rights
• Your continued use of our website after changes become effective constitutes acceptance of the revised policy

We recommend reviewing this Privacy Policy periodically to stay informed about how we protect your data.