Get in touch!

Termin vereinbaren

Privacy Policy

Introduction and Overview

We have drafted this Privacy Policy (version 28.10.2025-123073195) to explain, in accordance with the requirements of the General Data Protection Regulation (EU) 2016/679 and applicable national laws, which personal data (hereinafter “data”) we, as the controller, and the processors commissioned by us (e.g. hosting providers) process now and in the future and which lawful options you have. The terms used are intended to be gender-neutral. In short: We inform you comprehensively about the data we process about you. Privacy policies usually sound very technical and use legal terminology. By contrast, this Privacy Policy is intended to describe the most important aspects as simply and transparently as possible. Where it supports transparency, technical terms are explained in a reader-friendly way, links to further information are provided, and graphics may be used. In clear and simple language, we inform you that, in the course of our business activities, we only process personal data when there is a corresponding legal basis. That is not possible with short, vague and overly technical-legal explanations, as is often the standard on the internet when it comes to data protection. We hope you find the following explanations interesting and informative, and perhaps you will learn something new. If you still have questions, please contact the responsible entity named below or in the legal notice, follow the links provided, and review additional information on third-party websites. You will also find our contact details in the legal notice.

Scope

This Privacy Policy applies to all personal data processed by us within our company and to all personal data processed by companies commissioned by us (processors). By personal data we mean information within the meaning of Art. 4(1) GDPR, such as a person’s name, email address, and postal address. The processing of personal data enables us to offer and bill for our services and products, whether online or offline. The scope of this Privacy Policy covers:
  • all online presences (websites, online shops) we operate
  • social media presences and email communication
  • mobile apps for smartphones and other devices
In short: This Privacy Policy applies to all areas in which personal data is processed within the company via the channels mentioned. Should we enter into legal relationships with you outside of these channels, we will inform you separately where appropriate.

Legal Bases

In the following Privacy Policy, we provide you with transparent information on the legal principles and provisions—i.e., the legal bases of the General Data Protection Regulation—that enable us to process personal data. With respect to EU law, we refer to REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016. You can, of course, read this EU General Data Protection Regulation online on EUR-Lex, the access point to EU law, at https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex%3A32016R0679. We only process your data if at least one of the following conditions applies:
  1. Consent (Article 6(1)(a) GDPR): You have given us your consent to process data for a specific purpose. An example would be the storage of the data you entered in a contact form.
  2. Contract (Article 6(1)(b) GDPR): We process your data to fulfil a contract with you or to carry out pre-contractual measures. For example, if we conclude a purchase agreement with you, we require personal information in advance.
  3. Legal obligation (Article 6(1)(c) GDPR): If we are subject to a legal obligation, we process your data. For instance, we are legally required to retain invoices for accounting purposes. These usually contain personal data.
  4. Legitimate interests (Article 6(1)(f) GDPR): In the event of legitimate interests that do not restrict your fundamental rights, we reserve the right to process personal data. For example, we must process certain data to operate our website securely and economically efficiently. This processing thus constitutes a legitimate interest.
Other conditions, such as the performance of a task carried out in the public interest or in the exercise of official authority, and the protection of vital interests, generally do not arise for us. If such a legal basis should apply, this will be indicated at the relevant point. In addition to the EU Regulation, national laws also apply:
  • In Austria, this is the Federal Act concerning the Protection of Natural Persons in the Processing of Personal Data (Data Protection Act), abbreviated DSG.
  • In Germany, the applicable law is the Federal Data Protection Act, abbreviated BDSG.
If further regional or national laws apply, we will inform you in the sections below.

Controller Contact Details

If you have any questions about data protection or the processing of personal data, please find below the contact details of the controller pursuant to Article 4(7) GDPR:

Storage Period

As a general rule, we only store personal data for as long as is absolutely necessary to provide our services and products. This means that we delete personal data as soon as the reason for processing no longer exists. In some cases, we are legally obliged to retain certain data even after the original purpose has ceased to apply, for example for accounting purposes. If you request the deletion of your data or withdraw your consent to data processing, the data will be deleted as quickly as possible, provided there is no obligation to retain it. Where we have further information, we will inform you below about the specific duration of the respective data processing.

Rights under the GDPR

In accordance with Articles 13 and 14 GDPR, we inform you of the following rights to ensure fair and transparent processing of data:
  • Under Article 15 GDPR, you have the right to obtain confirmation as to whether or not we process personal data concerning you. Where this is the case, you have the right to obtain a copy of the data and the following information:
    • the purposes of the processing;
    • the categories of personal data concerned;
    • the recipients of the data and, where the data are transferred to third countries, how adequate protection is ensured;
    • the envisaged period for which the data will be stored;
    • the existence of the right to rectification, erasure, restriction of processing and the right to object to processing;
    • the right to lodge a complaint with a supervisory authority (links to these authorities can be found below);
    • the source of the data if they were not collected from you;
    • whether automated decision-making, including profiling, is carried out.
  • Under Article 16 GDPR, you have the right to rectification of inaccurate personal data concerning you.
  • Under Article 17 GDPR, you have the right to erasure (“right to be forgotten”).
  • Under Article 18 GDPR, you have the right to restriction of processing, meaning we may only store the data but not further process it.
  • Under Article 20 GDPR, you have the right to data portability, meaning that upon request we will provide your data in a commonly used format.
  • Under Article 21 GDPR, you have the right to object, which, if exercised, results in a change to the processing.
    • If the processing of your data is based on Article 6(1)(e) (public interest, exercise of official authority) or Article 6(1)(f) (legitimate interests), you can object to the processing. We will then promptly assess whether we can legally comply with your objection.
    • If data are used for direct marketing, you may object to this type of processing at any time. We will then no longer use your data for direct marketing.
    • If data are used for profiling, you may object to this type of processing at any time. We will then no longer use your data for profiling.
  • Under Article 22 GDPR, you may have the right not to be subject to a decision based solely on automated processing (including profiling).
  • Under Article 77 GDPR, you have the right to lodge a complaint with a supervisory authority. This means you can contact the data protection authority at any time if you believe that the processing of personal data violates the GDPR.
In short: You have rights—please do not hesitate to contact the responsible entity listed above! If you believe that the processing of your data violates data protection law or that your data protection rights have otherwise been infringed, you can lodge a complaint with the supervisory authority. In Austria, this is the Data Protection Authority, whose website is available at https://www.dsb.gv.at/. In Germany, each federal state has its own data protection officer. For more information, you can contact the Federal Commissioner for Data Protection and Freedom of Information (BfDI). For our company, the following local data protection authority is responsible:

Austrian Data Protection Authority

Head: Dr. Matthias Schmidl
Address: Barichgasse 40-42, 1030 Vienna
Phone: +43 1 52 152-0
Email: dsb@dsb.gv.at
Website: https://www.dsb.gv.at/

Data Processing Agreement (DPA)

In this section, we explain what a Data Processing Agreement is and why it is needed. As the term “Data Processing Agreement” can be a bit of a tongue twister, we will also use the acronym DPA here. Like most companies, we do not work alone; we also use services of other companies or individuals. By involving various companies or service providers, we may transfer personal data for processing. These partners then act as processors, with whom we conclude a contract, the so-called Data Processing Agreement (DPA). Most importantly for you: the processing of your personal data is carried out exclusively in accordance with our instructions and must be governed by the DPA.

Who are processors?

As the company and website owner, we are responsible for all data that we process about you. In addition to controllers, there may also be so-called processors. This includes any company or person who processes personal data on our behalf. More precisely, under the GDPR definition: any natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller is a processor. Processors may include service providers such as hosting or cloud providers, payment or newsletter providers, or large companies such as Google or Microsoft. For better understanding of the terms, here is an overview of the three roles under the GDPR: Data subject (you as a customer or prospect) → Controller (we as the company and client) → Processor (service providers such as web hosts or cloud providers)

Contents of a Data Processing Agreement

As mentioned above, we have concluded DPAs with our partners who act as processors. These contracts state first and foremost that the processor will process the data to be handled exclusively in accordance with the GDPR. The contract must be concluded in writing; however, electronic contract conclusion is considered “in writing” in this context. Processing of personal data takes place only on the basis of the contract. The contract must include the following:
  • binding to us as the controller
  • obligations and rights of the controller
  • categories of data subjects
  • types of personal data
  • nature and purpose of the data processing
  • subject matter and duration of the data processing
  • place of data processing
The contract also contains all obligations of the processor. The most important obligations are:
  • ensuring measures for data security
  • implementing appropriate technical and organizational measures to protect the rights of the data subject
  • maintaining a record of processing activities
  • cooperating with the data protection supervisory authority upon request
  • conducting a risk analysis regarding the personal data received
  • sub-processors may only be engaged with the written authorization of the controller
You can view an example of such a DPA (in German) at https://www.wko.at/service/wirtschaftsrecht-gewerberecht/eu-dsgvo-mustervertrag-auftragsverarbeitung.html. This link contains a model contract.

Web Analytics – Introduction

Web Analytics Privacy Summary

👥 Data subjects: Website visitors
🤝 Purpose: Evaluation of visitor information to optimize the web offering.
📓 Data processed: Access statistics containing data such as access locations, device data, duration and time of access, navigation behavior, click behavior, and IP addresses. You can find more details in the privacy information of the respective web analytics tool used.
📅 Storage period: depends on the web analytics tool used
⚖️ Legal bases: Art. 6(1)(a) GDPR (consent), Art. 6(1)(f) GDPR (legitimate interests)

What is web analytics?

We use software on our website to analyze the behavior of website visitors, known as web analytics or web analysis. In the process, data are collected which the respective analytics tool provider (also called a tracking tool) stores, manages, and processes. Using these data, analyses of user behavior on our website are created and made available to us as the website operator. Most tools also offer various testing options. For example, we can test which offers or content are best received by our visitors. For a limited period, we show you two different offers. After the test (so-called A/B testing), we know which product or content our website visitors find more interesting. For such testing procedures, as well as for other analytics procedures, user profiles can also be created and data can be stored in cookies.

Why do we use web analytics?

We have a clear goal with our website: we want to deliver the best web offering in our industry. To achieve this goal, we want, on the one hand, to offer the best and most interesting content and, on the other hand, ensure that you feel completely comfortable on our website. With the help of web analytics tools, we can examine the behavior of our website visitors more closely and then improve our web offering for you and for us. For example, we can determine the average age of our visitors, where they come from, when our website is most visited, or which content or products are particularly popular. All this information helps us optimize the website and tailor it to your needs, interests, and wishes.

What data are processed?

The exact data stored depends on the analytics tools used. Generally, however, information is stored about which content you view on our website, which buttons or links you click, when you access a page, which browser you use, which device (PC, tablet, smartphone, etc.) you use to visit the website, or which computer system you are using. If you have consented to the collection of location data, these may also be processed by the web analytics tool provider. Your IP address is also stored. According to the GDPR, IP addresses are personal data. However, your IP address is usually stored in a pseudonymized (i.e., anonymized and shortened) form. For the purposes of testing, web analysis, and web optimization, no direct data such as your name, age, address, or email address are generally stored. If such data are collected, they are stored in a pseudonymized form so that you cannot be identified as a person. The following example illustrates schematically how Google Analytics works as an example of client-based web tracking with JavaScript code. Schematic data flow in Google Analytics The duration for which the respective data are stored always depends on the provider. Some cookies store data only for a few minutes or until you leave the website, while other cookies can store data for several years.

Duration of data processing

We will inform you about the duration of data processin