Legal Notice

Sposato e.U.
Teresa Sposato Bakk. MA
Schaltberg 33a/2
3323 Neustadtl an der Donau

Phone: +43 7471 20 999
Email: office@sato-studio.at

Jurisdiction: Regional Court St. Pölten | Company Register: FN344792y
VAT Number: UID ATU65611117

Privacy Policy

Introduction and Overview
We have prepared this privacy policy (Version 31.08.2022-112110334) to explain to you, in accordance with the requirements of the General Data Protection Regulation (EU) 2016/679 and applicable national laws, what personal data (in short, “data”) we process as the data controller—and what data processors (e.g., providers) we commission—will process in the future, and what legal rights you have. The terms used are intended to be understood in a gender-neutral manner.

In short: We provide you with comprehensive information about the data we process about you.

Privacy policies typically sound very technical and use legal terminology. However, this privacy policy aims to describe the most important aspects as simply and transparently as possible. Wherever it helps with transparency, technical terms are explained in a reader-friendly manner, links to additional information are provided, and graphics are used. We inform you clearly and simply that we only process personal data when a corresponding legal basis exists as part of our business activities. This cannot be achieved through the brief, unclear, and legalistic explanations that are often standard on the internet regarding data protection. We hope you find the following explanations interesting and informative, and perhaps you’ll find some information that you didn’t know before.

If you still have questions, we encourage you to contact the responsible office listed below or in the legal notice, follow the links provided, and view additional information on third-party websites. Our contact details can also be found in the legal notice.

Scope of Application

This privacy policy applies to all personal data processed by our company and to all personal data processed by companies commissioned by us (data processors). When we mention personal data, we refer to information as defined in Article 4 No. 1 GDPR, such as the name, email address, and postal address of an individual. The processing of personal data allows us to provide and invoice our services and products, whether online or offline. The scope of this privacy policy includes:

• All online presences (websites, online shops) operated by us
• Social media presences and email communication
• Mobile apps for smartphones and other devices

In short: This privacy policy applies to all areas in which personal data is processed within the company through the channels mentioned above. If we enter into legal relationships with you outside of these channels, we will inform you separately if necessary.

Legal Basis

In the following privacy policy, we provide you with transparent information about the legal principles and regulations, i.e., the legal bases of the General Data Protection Regulation, which allow us to process personal data.
Regarding EU law, we refer to the REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016. You can, of course, read this EU General Data Protection Regulation online on EUR-Lex, the access point to EU law, at https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex%3A32016R0679.

We only process your data if at least one of the following conditions is met:

1. Consent (Article 6 (1) lit. a GDPR): You have given us your consent to process data for a specific purpose. An example would be storing the data you enter into a contact form.
2. Contract (Article 6 (1) lit. b GDPR): We process your data to fulfill a contract or pre-contractual obligations with you. For example, if we conclude a purchase contract with you, we need to process personal information in advance.
3. Legal Obligation (Article 6 (1) lit. c GDPR): If we are subject to a legal obligation, we process your data. For example, we are legally required to keep invoices for accounting purposes, which usually contain personal data.
4. Legitimate Interests (Article 6 (1) lit. f GDPR): If we have legitimate interests that do not override your fundamental rights, we reserve the right to process personal data. For example, we need to process certain data to operate our website securely and economically efficiently. This processing is therefore a legitimate interest.

Further conditions, such as carrying out a task in the public interest and exercising public authority, or the protection of vital interests, generally do not apply to us. If such a legal basis does become relevant, it will be indicated at the appropriate place.

Additionally, national laws apply alongside the EU Regulation:

• In Austria, this is the Federal Act on the Protection of Natural Persons with regard to the Processing of Personal Data (Data Protection Act), abbreviated as DSG.
• In Germany, the Federal Data Protection Act (BDSG) applies.
  If further regional or national laws are applicable, we will inform you in the following sections.

Contact Information of the Data Controller

If you have questions about data protection or the processing of personal data, you can find the contact details of the responsible person or office below:
Sposato e.U.
Teresa Sposato Bakk. MA
Schaltberg 33a/2
3323 Neustadtl an der Donau

Email: office@sato-studio.at
Phone: +43 7271 20 999
Legal Notice:
https://sato-studio.at/en/imprint-and-data-privacy/

Data Retention Period

Our general criterion is that we only store personal data for as long as it is necessary to provide our services and products. This means that we delete personal data as soon as the reason for the data processing is no longer applicable. In some cases, we are legally obliged to store certain data even after the original purpose has ceased to exist, for example, for accounting purposes.

If you request the deletion of your data or revoke your consent to data processing, the data will be deleted as quickly as possible, provided there is no legal obligation to retain it.
We inform you about the specific duration of data processing further down, where we have additional information available.

Rights According to the General Data Protection Regulation

In accordance with Articles 13 and 14 of the GDPR, we inform you about the following rights that you have to ensure a fair and transparent processing of data:

• Right to Information (Article 15 GDPR): You have the right to know if we are processing data about you. If this is the case, you have the right to receive a copy of the data and be informed about the following:

  • The purpose of the processing
  • The categories of data being processed
  • Who receives the data and, if the data is transferred to third countries, how security is ensured
  • How long the data is stored
  • The existence of the right to rectification, deletion, restriction of processing, and objection to processing
  • That you can lodge a complaint with a supervisory authority (links to these authorities are provided below)
  • The origin of the data, if we did not collect it from you
  • Whether profiling is conducted and, if so, how it is carried out to create a personal profile of you

• Right to Rectification (Article 16 GDPR): You have the right to have incorrect data corrected. This means that we must correct any errors you identify in the data.

• Right to Deletion (“Right to be Forgotten”) (Article 17 GDPR): You have the right to request the deletion of your data.

• Right to Restriction of Processing (Article 18 GDPR): You have the right to restrict the processing of your data, meaning that we may only store it but not use it further.

• Right to Data Portability (Article 20 GDPR): You have the right to receive your data in a commonly used format upon request.

• Right to Object (Article 21 GDPR): You have the right to object, which, if enforced, results in a change in processing.

  • If the processing of your data is based on Article 6 (1) lit. e (public interest, exercise of public authority) or Article 6 (1) lit. f (legitimate interest), you can object to the processing. We will then quickly determine whether we can legally comply with this objection.
  • If your data is used for direct marketing purposes, you can object to this type of data processing at any time. We will then no longer use your data for direct marketing.
  • If your data is used for profiling purposes, you can also object to this type of data processing at any time. We will then no longer use your data for profiling.

• Right not to be Subject to Automated Decision-Making (Article 22 GDPR): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

• Right to Lodge a Complaint (Article 77 GDPR): You have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data violates the GDPR.

In short: You have rights—do not hesitate to contact the responsible office listed above if you need further clarification!

If you believe that the processing of your data violates data protection law or your data protection rights have been violated in any other way, you can file a complaint with the supervisory authority. In Austria, the supervisory authority is the Data Protection Authority (Datenschutzbehörde), which you can find at https://www.dsb.gv.at/. In Germany, each federal state has its own data protection officer. For further information, you can contact the Federal Commissioner for Data Protection and Freedom of Information (BfDI). For our company, the following local data protection authority is responsible:

Austrian Data Protection Authority
Head: Mag. Dr. Andrea Jelinek
Address: Barichgasse 40-42, 1030 Vienna
Phone: +43 1 52 152-0
Email: dsb@dsb.gv.at
Website: https://www.dsb.gv.at/

Data Transfers to Third Countries

We only transfer or process data to countries outside the EU (third countries) if you have given your consent, it is legally required, or necessary for contractual purposes, and only to the extent that it is generally permitted. Your consent is usually the most important reason for us to process data in third countries. The processing of personal data in third countries like the USA, where many software providers offer services and host their servers, can mean that personal data is processed and stored in unexpected ways.

We expressly point out that, in the opinion of the European Court of Justice, there is currently no adequate level of protection for data transfer to the USA. The data processing by US services (e.g., Google Analytics) may result in data being processed and stored non-anonymously. Furthermore, US authorities may have access to certain data. It may also happen that collected data is linked to data from other services of the same provider, provided that you have a corresponding user account. Where possible, we try to use server locations within the EU, if available.

We will inform you at the relevant points in this privacy policy in more detail about data transfers to third countries if applicable.

Security of Data Processing

To protect personal data, we have implemented both technical and organizational measures. Where possible, we encrypt or pseudonymize personal data. We do our best to make it as difficult as possible for third parties to infer personal information from our data.

Article 25 of the GDPR refers to “data protection by design and by default,” meaning that security measures must be considered in both software (e.g., forms) and hardware (e.g., access to server rooms). Below, we discuss specific measures we have taken to ensure security, if applicable.

TLS Encryption with HTTPS

TLS, encryption, and HTTPS sound very technical, and they are. We use HTTPS (Hypertext Transfer Protocol Secure) to transmit data securely over the Internet. This means that all data transmitted from your browser to our web server is secured, and no one can “listen in.”

This adds an additional layer of security, fulfilling data protection by design (Article 25 (1) GDPR). By using TLS (Transport Layer Security), a protocol for secure data transmission on the Internet, we can ensure the protection of confidential data. You can recognize the use of this data transmission security by the small lock symbol in the top left corner of the browser and the use of the “https” schema as part of our Internet address.

If you want to learn more about encryption, we recommend searching for “Hypertext Transfer Protocol Secure wiki” on Google for good links to further information.

Communication

Communication Overview

• Affected Parties: Anyone who contacts us via phone, email, or online form.
• Processed Data: e.g., phone number, name, email address, form data entries. More details can be found under the respective communication type.
• Purpose: Handling communication with customers, business partners, etc.
• Storage Duration: Duration of the business transaction and according to legal requirements.
• Legal Basis: Article 6 (1) lit. a GDPR (consent), Article 6 (1) lit. b GDPR (contract), Article 6 (1) lit. f GDPR (legitimate interests).

When you contact us via phone, email, or online form, personal data may be processed. The data will be used to process and handle your inquiry and the related business transaction. The data will be stored as long as necessary for the business purpose or as required by law.

Affected Individuals

All individuals who contact us through the communication channels provided by us are affected by this data processing.

• Phone
  If you call us, your call data may be pseudonymously stored on the respective end device and by the telecommunications provider. Additionally, data such as your name and phone number may be saved and sent via email for follow-up purposes. The data will be deleted once the business transaction is completed and as long as there are no legal requirements to keep it.

• Email
  When you communicate with us via email, the data may be stored on the respective device (computer, laptop, smartphone, etc.) and also on the email server. The data will be deleted once the business transaction is completed and as long as there are no legal requirements to keep it.

• Online Forms
  If you communicate with us via an online form, the data will be stored on our web server and may be forwarded to our email address. The data will be deleted once the business transaction is completed and as long as there are no legal requirements to keep it.

Legal Basis

The processing of data is based on the following legal bases:

• Article 6 (1) lit. a GDPR (consent): You give us consent to store your data and continue to use it for purposes related to the business transaction.
• Article 6 (1) lit. b GDPR (contract): The necessity for fulfilling a contract with you or with a data processor, such as a telecommunications provider, or we need to process the data for pre-contractual activities, such as preparing a quotation.
• Article 6 (1) lit. f GDPR (legitimate interests): We want to conduct customer inquiries and business communication in a professional manner. For this, certain technical facilities, such as email programs, exchange servers, and mobile operators, are necessary to handle communication efficiently.

Data Processing Agreement (DPA)

In this section, we explain what a Data Processing Agreement (DPA) is and why it is necessary. Because the term “Data Processing Agreement” is quite a mouthful, we will occasionally use the abbreviation DPA. Like most companies, we do not work alone but also use the services of other companies or individuals. By involving different companies or service providers, it may happen that we pass on personal data for processing. These partners then act as data processors, with whom we conclude a contract, the so-called Data Processing Agreement (DPA). The most important thing for you to know is that your personal data will only be processed according to our instructions and must be governed by the DPA.

Who Are Data Processors?

We, as a company and website owner, are responsible for all the data we process about you. In addition to the controllers, there can also be so-called data processors. This includes any company or person that processes personal data on our behalf. More specifically, according to the GDPR definition: any natural or legal person, public authority, agency, or other body that processes personal data on our behalf is considered a data processor. Data processors may include service providers such as hosting or cloud providers, payment service providers, newsletter providers, or large companies like Google or Microsoft.

For a better understanding of the terminology, here’s an overview of the three roles defined in the GDPR:

1. Data Subject (you as a customer or prospect)
2. Controller (we as a company and principal)
3. Data Processor (service providers such as web hosts or cloud providers)

Content of a Data Processing Agreement

As mentioned above, we have signed DPAs with our partners acting as data processors. The most important points defined in a DPA are:

• Binding to us as the controller
• Duties and rights of the controller
• Categories of affected individuals
• Types of personal data
• Type and purpose of data processing
• Object and duration of data processing
• Location of data processing

Furthermore, the contract includes all obligations of the data processor. The most important obligations are:

• Ensuring data security measures
• Taking potential technical and organizational measures to protect the rights of the data subject
• Maintaining a record of data processing activities
• Cooperating with supervisory authorities upon request
• Conducting a risk analysis regarding the received personal data
• Sub-processors may only be engaged with the written approval of the controller

If you would like to see an example of such a DPA, you can visit this template provided by the Austrian Chamber of Commerce (WKO).

Cookies

Cookies Overview

• Affected Parties: Visitors to the website.
• Purpose: Depending on the respective cookie. More details can be found below or with the manufacturer of the software that sets the cookie.
• Processed Data: Depends on the respective cookie. More details can be found below or with the manufacturer of the software that sets the cookie.
• Storage Duration: Depends on the respective cookie, which can vary from hours to years.
• Legal Basis: Article 6 (1) lit. a GDPR (consent), Article 6 (1) lit. f GDPR (legitimate interests).

What are Cookies?
Our website uses HTTP cookies to store user-specific data. Below, we explain what cookies are and why they are used, to help you understand the following privacy policy better.

Whenever you browse the internet, you use a browser. Well-known browsers include Chrome, Safari, Firefox, Internet Explorer, and Microsoft Edge. Most websites store small text files in your browser called cookies.
There’s no denying that cookies are really useful little helpers. Almost all websites use cookies. More specifically, they are HTTP cookies since there are also other types of cookies for different applications. HTTP cookies are small files stored on your computer by our website. These cookie files are automatically stored in your browser’s cookie folder—essentially, the “brain” of your browser. A cookie consists of a name and a value. When defining a cookie, one or more attributes must also be specified.

Cookies store certain user data, such as language or personal page settings. When you visit our site again, your browser sends back the “user-specific” information to our site. Thanks to cookies, our website knows who you are and offers you your preferred settings. In some browsers, each cookie has its own file; in others, such as Firefox, all cookies are stored in a single file.

The following graphic illustrates the possible interaction between a web browser like Chrome and the web server. The web browser requests a website, and the server responds by sending back a cookie, which the browser uses again whenever another page is requested.

There are first-party cookies and third-party cookies. First-party cookies are created directly by our website, while third-party cookies are created by partner websites (e.g., Google Analytics). Each cookie must be evaluated individually, as each cookie stores different data. Cookie durations can also vary from just a few minutes to several years. Cookies are not software programs and contain no viruses, Trojans, or other “malware.” Cookies cannot access information from your PC.

Here’s an example of how cookie data might look:

• Name: _ga
• Value: GA1.2.1326744211.152112110334-9
• Purpose: Distinguishing website visitors
• Expiration Date: After 2 years

These are the minimum sizes a browser should support:

• At least 4096 bytes per cookie
• At least 50 cookies per domain
• At least 3000 cookies in total

Types of Cookies
The types of cookies we use depend on the services employed and are detailed in the following sections of this privacy policy. For now, we’ll briefly explain the four types of HTTP cookies:

1. Essential Cookies
   These cookies are necessary to ensure the basic functions of the website. For example, when a user adds a product to the shopping cart, continues browsing, and then proceeds to checkout later, these cookies ensure that the shopping cart is not deleted, even if the user closes their browser window.

2. Functional Cookies
   These cookies collect information about user behavior and whether the user receives any error messages. They are also used to measure the loading times and performance of the website under different browsers.

3. Targeting Cookies
   These cookies enhance user experience by storing locations, font sizes, or form data.

4. Advertising Cookies
   Also known as targeting cookies, they are used to deliver personalized ads to the user. These cookies can be convenient but can also be annoying.

Purpose of Cookie Processing

The purpose of cookies ultimately depends on the specific cookie being used. Further details can be found below or with the provider of the software that sets the cookie.

Which Data is Processed?
Cookies can be used for many different purposes and can store various types of data. Unfortunately, it is not possible to generalize which data is stored, but we will inform you in this privacy policy about the processed or stored data for each specific service.

Storage Duration of Cookies
The storage duration of cookies depends on the respective cookie and is described in more detail further below. Some cookies are deleted immediately after leaving the website, while others can remain stored on your device for years.
You have control over the storage duration as well. You can manually delete all cookies at any time through your browser settings (see below under “Right to Object”). Cookies based on consent will be deleted as soon as you withdraw your consent, and any storage until that point will remain lawful.

Right to Object – How to Delete Cookies
You can decide how cookies are used. Regardless of which service or website the cookies come from, you always have the option to delete, disable, or partially allow cookies. For example, you can choose to block cookies from third parties while allowing all other cookies.

If you want to see which cookies have been stored in your browser, if you want to change or delete cookie settings, you can do this in your browser settings:

• Chrome: Delete, enable, and manage cookies in Chrome
• Safari: Manage cookies and website data with Safari
• Firefox: Delete cookies to remove information websites have stored on your computer
• Internet Explorer: Delete and manage cookies
• Microsoft Edge: Delete and manage cookies

If you generally do not want to use cookies, you can set your browser to notify you whenever a cookie is set. This allows you to decide whether to allow or reject each individual cookie. The process is different depending on the browser. It is best to look for instructions in Google using the search term “delete cookies in Chrome” or “disable cookies in Chrome” if you are using Chrome, for example.

Legal Basis
Since 2009, the so-called “Cookie Guidelines” have been in place. These state that storing cookies requires your consent (Article 6 (1) lit. a GDPR). Within the EU countries, however, there have been very different reactions to these guidelines. In Austria, this directive was implemented in Section 96 (3) of the Telecommunications Act (TKG). In Germany, the Cookie Directive was not implemented as national law. Instead, the provisions of this directive are largely reflected in Section 15 (3) of the German Telemedia Act (TMG).

For essential cookies, even if no consent is given, there are legitimate interests (Article 6 (1) lit. f GDPR), which are mostly of an economic nature. We want to provide visitors to our website with a pleasant user experience, and for this, certain cookies are often absolutely necessary.

Where cookies that are not essential are used, this will only happen based on your consent. The legal basis is therefore Article 6 (1) lit. a GDPR.

In the following sections, you will be informed in more detail about the use of cookies, if any software used employs cookies.

Web Hosting

Web Hosting Overview

• Affected Parties: Visitors to the website
• Purpose: Professional hosting of the website and ensuring the secure operation
• Processed Data: IP address, time of website visit, browser used, and other data. More details can be found below or with the respective web hosting provider.
• Storage Duration: Depends on the respective provider, but generally 2 weeks
• Legal Basis: Article 6 (1) lit. f GDPR (legitimate interests)

What is Web Hosting?
Whenever you visit websites, certain information—including personal data—is automatically created and stored. This data should be processed as minimally and justifiably as possible. When we say website, we mean all web pages on a domain, i.e., everything from the homepage (landing page) to the last subpage (such as this one). When we say domain, we mean, for example, example.com or samplewebsite.com.

When you want to view a website on your computer, tablet, or smartphone, you use a program called a web browser. You probably know some browsers by name: Google Chrome, Microsoft Edge, Mozilla Firefox, and Apple Safari. We refer to these simply as browsers.

To display the website, the browser must connect to another computer where the website’s code is stored, known as the web server. Operating a web server is a complicated and costly task, so this is usually handled by professional providers, known as hosting providers, who offer web hosting services to reliably store the data for websites. These terms might sound complex, but please bear with us as it gets clearer!

When your browser connects to our web server and during the transmission of data to and from the web server, personal data may be processed. On the one hand, your computer stores data, and on the other hand, the web server must store data for a while to ensure proper operation.

The following graphic illustrates the interaction between a web browser (e.g., Chrome) and the Internet and the hosting provider.

Browser and Web Server

Why Do We Process Personal Data?
The purposes of data processing are as follows:

• Professional hosting of the website and ensuring its security and operation
• Maintaining the operational and IT security
• Anonymous evaluation of access behavior to improve our offering and, if necessary, to pursue claims or enforce legal rights.

Which Data is Processed?
Even as you are reading this text, our web server—the computer on which this website is stored—usually automatically saves data such as:

• The complete Internet address (URL) of the accessed website
• Browser and browser version (e.g., Chrome 87)
• The operating system used (e.g., Windows 10)
• The address (URL) of the previously visited page (referrer URL) (e.g., https://examplewebsite.com/where-i-came-from/)
• The hostname and IP address of the device being accessed (e.g., COMPUTERNAME and 194.23.43.121)
• Date and time in log files

How Long is Data Stored?
The above-mentioned data is generally stored for two weeks and then automatically deleted. We do not pass on this data, but we cannot exclude that this data may be viewed by authorities in the event of unlawful behavior.

In short: Your visit is recorded by our provider (the company that hosts our website on special computers/servers), but we do not share your data without consent!

Legal Basis
The legality of processing personal data within the scope of web hosting results from Article 6 (1) lit. f GDPR (legitimate interests), as the use of professional hosting by a provider is necessary to present the company on the Internet securely and user-friendly and to be able to pursue any claims arising from this.

We usually have a contract for order processing (Data Processing Agreement, DPA) with the hosting provider, which ensures compliance with data protection and guarantees data security.

Cookie Consent Management Platform

Cookie Consent Management Platform Overview

• Affected Parties: Visitors to the website.
• Purpose: To obtain and manage consent for specific cookies and tools.
• Processed Data: Data for managing set cookie preferences, such as IP address, time of consent, type of consent, and individual consents. More details can be found below or in the privacy policy of the respective tool used.
• Storage Duration: Depends on the tool used, but expect storage durations ranging from several months to a few years.
• Legal Basis: Article 6 (1) lit. a GDPR (consent), Article 6 (1) lit. f GDPR (legitimate interests).

What is a Cookie Consent Management Platform?
We use a cookie consent management platform (CMP) software on our website to ensure the correct and secure handling of scripts and cookies. The software automatically creates a cookie pop-up, scans and controls all scripts and cookies, provides a legally required cookie consent option for you, and helps us and you keep track of all cookies used. Most CMP tools identify and categorize all existing cookies. As a website visitor, you can then decide whether to allow or block specific cookies and scripts. The following graphic shows the relationship between the browser, web server, and CMP:

Consent Management Platform Overview

Why Do We Use a Cookie Management Tool?
Our goal is to provide you with the highest possible transparency in terms of data protection. Moreover, we are legally obligated to do so. We want to inform you about all tools and cookies that can store and process data about you. It is also your right to decide which cookies you want to allow and which you do not. To enable you to exercise this right, we must first identify exactly which cookies are stored on our website. By using a cookie management tool that regularly scans our website for existing cookies, we are always aware of the cookies and can provide you with GDPR-compliant information about them. Through the consent management system, you can then decide to accept or reject certain cookies.

Which Data is Processed?
With our cookie management tool, you can manage every single cookie individually and have full control over the storage and processing of your data. Your consent statement is stored so that we do not have to ask you again each time you visit our website and to demonstrate your consent, if legally required. This data is stored either in an opt-in cookie or on a server. The storage duration of your cookie consent depends on the provider of the cookie management tool. Generally, this data (such as pseudonymous user ID, time of consent, details about the cookie categories or tools, browser, device information) is stored for up to two years.

Duration of Data Processing
We provide further information on the duration of data processing below, if we have such information available. Generally, we process personal data only for as long as necessary to provide our services and products. Data stored in cookies can have varying durations. Some cookies are deleted immediately upon leaving the website, while others may remain stored for several years. The exact duration of data processing depends on the tool used, and storage durations of several years should generally be expected. Detailed information about the duration of data processing can usually be found in the privacy policy of each provider.

Right to Object
You have the right to revoke your consent for cookies and the use of third-party cookie management tools at any time. This can be done either through our cookie management tool or through other opt-out options. For example, you can also prevent data collection by cookies by managing, disabling, or deleting cookies in your browser.

Information on specific cookie management tools, if used, can be found in the following sections.

Legal Basis
If you have consented to the use of cookies, the processing of personal data based on these cookies will be performed in accordance with your consent. If we are allowed to use cookies based on your consent (Article 6 (1) lit. a GDPR), this consent is also the legal basis for the processing of personal data as collected through cookies.

Our legitimate interest in using cookie management tools is based on the efficient and legally compliant operation of our website, which constitutes a legitimate interest under Article 6 (1) lit. f GDPR. We use such tools, however, only insofar as you have provided your consent. We want to emphasize this point again here.

BorlabsCookie Privacy Policy

We use BorlabsCookie on our website, a tool for managing and storing your cookie consents. The service provider is the German company Borlabs – Benjamin A. Bornschein, Rübenkamp 32, 22305 Hamburg, Germany. You can find more details about the data processed by BorlabsCookie in their privacy policy at https://de.borlabs.io/datenschutz/.

Security & Anti-Spam

Security & Anti-Spam Overview

• Affected Parties: Visitors to the website.
• Purpose: Cybersecurity.
• Processed Data: Data such as your IP address, name, or technical data like browser version. More details can be found below and in the individual privacy policies.
• Storage Duration: Most data is stored until it is no longer needed for service purposes.
• Legal Basis: Article 6 (1) lit. a GDPR (consent), Article 6 (1) lit. f GDPR (legitimate interests).

What is a Security & Anti-Spam Software?
Security & anti-spam software can protect you and us from various spam or phishing emails and potential cyberattacks. Spam refers to unsolicited mass emails, often referred to as data garbage, which can sometimes incur costs. Phishing emails, on the other hand, are messages that attempt to gain access to personal data by establishing trust through fake messages or websites. An anti-spam software typically protects against unwanted spam messages or malicious emails that could introduce viruses into our system. We also use general firewall and security systems that protect our computers against unauthorized network traffic.

Why Do We Use Security & Anti-Spam Software?
We place a high priority on security on our website, as it concerns both our security and, more importantly, yours. Unfortunately, cyber threats are now part of everyday life in the IT and internet world. Often, hackers try to steal personal data from an IT system through a cyberattack. Therefore, a good defense system is absolutely necessary. A security system monitors all incoming and outgoing connections to our network or computer. In addition to the standard security systems on our computers, we also use external security services to achieve even greater protection against cyberattacks. Unauthorized data traffic is better intercepted, protecting us against cybercrime.

Which Data is Processed by Security & Anti-Spam Software?
The exact data collected and stored depends on the specific service. However, we always strive to use programs that collect as little data as possible or only data necessary for the service to function. In general, the service may store data such as your name, address, IP address, email address, and technical data like browser type or version. Performance and log data may also be collected to detect incoming threats in a timely manner. These data are processed as part of the services and in compliance with applicable laws. For US-based providers (using standard contractual clauses), this includes compliance with the GDPR. These security services sometimes work with third parties, who may process or store data in accordance with the data protection policies and other security measures. Data storage usually occurs through cookies.

Duration of Data Processing
Information on the duration of data processing is provided below, if available. For example, security programs store data until you or we delete the stored data. In general, personal data is stored only as long as it is necessary to provide services. Unfortunately, providers often do not provide precise information about the length of data storage.

Right to Object
You have the right to revoke your consent for the use of cookies or third-party security software at any time. This can be done through our cookie management tool or other opt-out options. For example, you can also prevent data collection by managing, disabling, or deleting cookies in your browser.

Since such security services may also use cookies, we recommend reading our general privacy policy regarding cookies. To find out exactly what data is stored and processed about you, read the respective privacy policies of the tools.

Legal Basis
We primarily use security services based on our legitimate interest (Article 6 (1) lit. f GDPR) in having a robust security system against various cyberattacks.

Certain data processing activities, particularly the use of cookies and security functions, require your consent. If you have consented to the processing and storage of your data by integrated security services, this consent serves as the legal basis for data processing (Article 6 (1) lit. a GDPR). Most of the services we use store cookies in your browser to save data. Therefore, we recommend reading our privacy policy on cookies and reviewing the respective service provider’s privacy policy.

Web Design

Web Design Privacy Policy Overview

• Affected Parties: Visitors to the website.
• Purpose: Improving user experience.
• Processed Data: Data processed varies greatly depending on the services used. It typically includes IP address, technical data, language settings, browser version, screen resolution, and browser name. More details can be found in the privacy policies of the respective web design tools.
• Storage Duration: Depends on the web design tools used.
• Legal Basis: Article 6 (1) lit. a GDPR (consent), Article 6 (1) lit. f GDPR (legitimate interests).

What is Web Design?
We use various tools on our website that contribute to web design. Contrary to popular belief, web design is not just about making a website look good but also about its functionality and performance. Of course, the visual appeal of a website is also one of the main goals of professional web design. Web design is a subset of media design and deals with both the visual and structural as well as functional design of a website. The goal is to use web design to improve your experience on our website. In web design jargon, this is called User Experience (UX) and Usability. User Experience refers to all impressions and experiences that a website visitor has on a website. A sub-point of the User Experience is Usability, which concerns the user-friendliness of a website. The focus is on ensuring that content, subpages, or products are clearly structured and easy to find. To provide you with the best possible experience on our website, we also use so-called web design tools from third parties. The category “Web Design” in this privacy policy includes all services that enhance our website visually and structurally. These can be fonts, various plugins, or other embedded web design functionalities.

Web Design Tools

The following sections provide detailed information on the specific web design tools we use, including their purpose, what data they process, and how they help improve the visual and functional quality of our website.

Adobe Fonts Privacy Policy

We use Adobe Fonts, a web font hosting service, on our website. The service provider is Adobe Inc., headquartered in the United States. For the European region, the responsible entity is Adobe Systems Software Ireland Companies, 4-6 Riverwalk, Citywest Business Campus, Dublin 24, Ireland.
Adobe also processes data about you in the United States. We note that, according to the European Court of Justice, there is currently no adequate level of data protection for data transfers to the USA. This may pose risks regarding the legality and security of data processing.

As a basis for data processing by recipients based in third countries (outside the European Union, Iceland, Liechtenstein, Norway, and particularly in the USA), Adobe uses so-called Standard Contractual Clauses (SCC) pursuant to Art. 46 (2) and (3) GDPR. Standard Contractual Clauses are template agreements provided by the EU Commission that are intended to ensure your data is processed in accordance with European data protection standards, even when transferred and stored outside the EU. Adobe commits to upholding the European level of data protection when processing your data, even if it is stored, processed, or managed in the USA. These clauses are based on a decision by the EU Commission. You can find the decision and the Standard Contractual Clauses here: EU Commission’s SCC Decision.

The data processing terms that align with the Standard Contractual Clauses can be found under: Adobe Data Processing Agreement.

For more information on the data processed by Adobe Fonts, visit their privacy policy.

Why Do We Use Adobe Fonts on Our Website?
Adobe Fonts allows us to use fonts that are not stored on our own server, improving the website’s loading times and ensuring a visually consistent display of our content across various devices and browsers. This helps us enhance the user experience on our website, as fonts influence the website’s aesthetics, readability, and overall feel.

Which Data Does Adobe Fonts Store?
When you access our website, your browser establishes a connection to Adobe’s servers. This transmits data such as:

• IP address
• Technical data about your browser and operating system
• The version of the font being requested
• Screen resolution
• Browser and OS language settings

Adobe does not set any cookies on your device during this process. The company uses the collected data to maintain its services, resolve technical issues, and improve the quality of the fonts.

How Long and Where is the Data Stored?
Adobe stores the data mainly on servers in the United States and does not delete data immediately. The duration depends on the specific data collected, but generally, font-related data is kept for a shorter period.

How Can I Delete My Data or Prevent Storage?
To prevent data transmission, you can disable JavaScript in your browser. However, without JavaScript, the fonts will not load and the website may not appear as intended. If you wish to delete data stored by Adobe, you must contact their support or review their privacy policy for detailed instructions.

Legal Basis
The legal basis for the use of Adobe Fonts is your consent (Article 6 (1) lit. a GDPR) and our legitimate interest in providing a visually appealing website (Article 6 (1) lit. f GDPR). We only use Adobe Fonts with your consent, as indicated through our cookie consent tool or another consent mechanism.

Font Awesome Privacy Policy

We use Font Awesome, a web icon font service, on our website. The service provider is the American company Fonticons Inc., 307 S. Main St., Suite 202, Bentonville, AR 72712, USA.
Font Awesome enables us to use scalable icons and fonts on our website, making our content visually appealing and ensuring a consistent display across devices.

Why Do We Use Font Awesome on Our Website?
Font Awesome helps improve the visual presentation of our website and enhances the user experience by offering modern, easy-to-use icons and fonts. Using Font Awesome’s icons saves bandwidth and ensures quick loading times as the icons are loaded as HTML elements, not images.

Which Data Does Font Awesome Store?
When you access our website, your browser establishes a connection to Fonticons’ servers. The following data is processed:

• IP address
• Technical data, such as your browser version and operating system
• The specific icon files that were loaded
• Time and date of the access

Font Awesome collects this data to maintain and improve the delivery of its Content Delivery Network (CDN), to ensure technical stability, and to calculate usage statistics. According to current knowledge, Font Awesome does not set any cookies and does not store personal data beyond the usage statistics.

How Long and Where is the Data Stored?
The data is stored on servers worldwide, including in the USA. The duration of storage depends on the type of data, but identifiable data is generally stored for a few weeks. Aggregated statistics, which do not contain personal information, may be stored longer.

How Can I Delete My Data or Prevent Storage?
To prevent data from being transmitted, you can disable JavaScript in your browser or use a plugin that blocks connections to Font Awesome servers. However, this might affect the display of icons on our website. If your browser does not support web fonts, a default font will be used instead.

Legal Basis
The use of Font Awesome is based on your consent (Article 6 (1) lit. a GDPR) and our legitimate interest in a visually optimized and technically efficient website (Article 6 (1) lit. f GDPR). We only use Font Awesome if you have consented to its use via our cookie consent tool.

For more details on how Font Awesome handles data, please visit their privacy policy.

Analytics and Tracking Tools

Analytics and tracking tools help us understand how users interact with our website, allowing us to optimize content, improve user experience, and monitor performance. The following sections outline the specific tools we use, what data is collected, and the purpose of their use.

Google Analytics Privacy Policy

We use Google Analytics, a web analytics service provided by Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) or, for users in the European Economic Area (EEA) and Switzerland, by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland).
Google Analytics allows us to analyze user behavior on our website. This information is used to create detailed reports and gain insights into visitor interactions with our content, which helps us improve our site and provide a better user experience.

Why Do We Use Google Analytics on Our Website?
Our goal is to optimize our website’s user experience, content, and design to create a seamless and informative journey for our visitors. Google Analytics provides us with the necessary data and tools to analyze traffic, detect trends, and identify popular content. By using this information, we can tailor our site’s layout and structure to better meet the needs and preferences of our users.

Which Data Does Google Analytics Store?
Google Analytics collects data such as:

• IP address (anonymized before storage)
• Browser type and version
• Operating system
• Referrer URL (the previously visited page)
• Time of server request
• Pages visited
• Duration of visit
• User behavior, such as clicks, scrolls, and interactions
• Device type (mobile, desktop, tablet)

Google Analytics primarily uses cookies to store data about user interactions. The collected data is typically transmitted to a Google server in the United States and stored there. However, we have enabled IP anonymization, which means that Google truncates the IP address within member states of the European Union or in other contracting states of the Agreement on the European Economic Area before transmitting it to the USA.

How Long and Where is the Data Stored?
The data retention period for Google Analytics is typically 14 months. After this period, the data is automatically deleted. In some cases, data may be retained longer if needed for aggregated reports.

How Can I Delete My Data or Prevent Storage?
You can prevent Google from collecting and processing your data by:

1. Installing the Google Analytics Opt-out Browser Add-on.
2. Disabling cookies in your browser settings.
3. Using our cookie consent tool to reject the use of Google Analytics cookies.

If you want to delete the data collected through Google Analytics, you will need to contact Google directly. For more information, see Google’s Privacy Policy.

Legal Basis
The use of Google Analytics is based on your consent (Article 6 (1) lit. a GDPR). We obtain this consent through our cookie consent tool, which allows you to choose whether or not to allow Google Analytics tracking on your device.

Marketing and Remarketing Tools

Marketing and remarketing tools help us target our audience more precisely and display tailored ads to users who have previously visited our website. These tools use various technologies, such as cookies and pixels, to track user behavior and create user profiles for more effective marketing campaigns.

Google Ads (Google AdWords) Conversion Tracking Privacy Policy

We use Google Ads (formerly known as Google AdWords), a service provided by Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) or, for users in the European Economic Area (EEA) and Switzerland, by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). Google Ads helps us place targeted ads on Google and its partner sites and track conversions. Conversions refer to actions that we consider valuable, such as form submissions, purchases, or calls.

Why Do We Use Google Ads on Our Website?
Our aim is to increase the visibility of our website and services and attract more potential customers. With Google Ads, we can reach people who are actively searching for topics related to our offerings. Conversion tracking allows us to measure the effectiveness of our ad campaigns and adjust our strategy to improve performance.

Which Data Does Google Ads Collect?
When you click on one of our Google ads, a cookie is set on your device. This cookie stores information such as:

• Clicked ad
• Browser type and version
• IP address (usually anonymized)
• Device type
• Conversion status (whether a valuable action, like a form submission or purchase, took place)

Google Ads uses this data to compile conversion reports for us. These reports show the total number of conversions and help us evaluate the performance of our ads. No personally identifiable information is shared with us.

How Long and Where is the Data Stored?
The conversion cookies expire after 30 days. They do not store personal data and are used only to track whether users complete an action on our site. The data is transmitted to Google servers in the USA, where it is stored and processed in accordance with Google’s privacy policy.

How Can I Delete My Data or Prevent Storage?
You can disable conversion tracking cookies by:

1. Adjusting your browser settings to block cookies from the domain googleadservices.com.
2. Opting out of personalized advertising by visiting the Google Ad Settings page.
3. Using our cookie consent tool to reject the use of tracking cookies.

For more information, visit Google’s privacy policy.

Legal Basis
The use of Google Ads and its conversion tracking is based on your consent (Article 6 (1) lit. a GDPR). We obtain this consent through our cookie consent tool, allowing you to control whether or not to accept these cookies.

Social Media Plug-ins

We use various social media plug-ins (e.g., Facebook, Instagram, LinkedIn) to enable social sharing and interaction on our website. These plug-ins may collect data such as IP address, referrer URL, and usage patterns, depending on your interactions. Social media plug-ins typically only collect data if you are logged into the respective platforms while visiting our site.

For detailed information about each social media plug-in and its data processing practices, please refer to the privacy policy of the respective platform:

• Facebook Privacy Policy: Facebook Data Policy
• Instagram Privacy Policy: Instagram Data Policy
• LinkedIn Privacy Policy: LinkedIn Data Policy

Legal Basis
The integration of social media plug-ins is based on your consent (Article 6 (1) lit. a GDPR). You can manage your preferences through our cookie consent tool.

Data Transfer to Third Countries

We transfer or process data in countries outside the EU (third countries) only when one of the following conditions applies:

1. You have given your explicit consent for the transfer of data.
2. It is legally required or contractually necessary and, in all cases, only to the extent that it is permitted.
3. There are suitable safeguards in place to ensure that your data is handled in accordance with GDPR.

Why Do We Transfer Data to Third Countries?

Many software providers we work with, such as hosting providers, cloud services, or analytics tools, have servers located in third countries like the United States. This data transfer enables us to offer our services in a more efficient and user-friendly manner. However, we ensure that all data processing complies with the required data protection standards of the European Union.

What are the Risks of Data Transfer to Third Countries?

Data transfer to third countries like the USA can pose risks because, according to the European Court of Justice, there is currently no adequate level of data protection for data transfers to the USA. This means that personal data transferred to the USA can be subject to unforeseen processing and storage, such as:

• Access by US authorities: U.S. authorities may, under certain circumstances, have access to personal data processed in the U.S.
• Lack of control: Once the data is transferred to the U.S., the control over it can be more limited, especially regarding further processing or storage by service providers.

Where possible, we use server locations within the EU. However, if data must be transferred to third countries, we ensure that this is done in accordance with GDPR standards.

How Do We Ensure Data Protection?

To ensure the security of your data, we implement one or more of the following measures for transfers to third countries:

1. Standard Contractual Clauses (SCC): We use the EU’s Standard Contractual Clauses (SCC) for transfers to processors outside the EU. These clauses are contractual agreements that bind the recipient of the data to comply with European data protection standards.
2. Binding Corporate Rules (BCR): BCRs are internal rules adopted by multinational companies to enable international transfers within their organization.
3. Additional Measures: If needed, we apply additional technical and organizational measures, such as data pseudonymization or encryption, to safeguard data during transfer.

For more detailed information on SCCs, please refer to the EU Commission’s page: EU Standard Contractual Clauses.

Example of Third-Country Data Transfers

If we use a service like Google Analytics, your data may be transferred to Google’s servers in the USA. While we apply IP anonymization to minimize the amount of personal data transmitted, the transfer still occurs based on SCCs or other legally required mechanisms to ensure data protection.

Data Security Measures

We take both technical and organizational measures to ensure that your personal data is protected. Where possible, we encrypt or pseudonymize personal data to make it as difficult as possible for third parties to extract personal information from our data.

Article 25 of the GDPR refers to “data protection through technology design and data protection-friendly default settings.” This means that, whether it’s software (e.g., forms) or hardware (e.g., access to the server room), security is a constant focus, and appropriate measures are put in place.

The following are the key data security measures we implement:

• TLS Encryption:
  TLS stands for Transport Layer Security, and it is a protocol used for encrypting data transmission over the Internet. We use TLS (commonly known as HTTPS) to secure the transmission of data between your browser and our web servers, preventing third parties from eavesdropping on or manipulating data. You can recognize a secured connection by the padlock symbol in your browser’s address bar and the use of “https” instead of “http” in the URL.

• Access Control:
  We implement access control measures to ensure that only authorized personnel can access personal data. This includes the use of password protection, multi-factor authentication, and role-based access permissions.

• Data Minimization:
  We process and store only the minimum amount of personal data necessary to provide our services. We regularly review our data collection and retention policies to ensure compliance with the GDPR principle of data minimization.

• Regular Security Audits:
  We conduct regular security audits and risk assessments to identify potential vulnerabilities in our systems and take appropriate measures to mitigate those risks.

• Data Backup and Recovery Plans:
  We maintain regular backups of personal data to ensure data availability and integrity in case of a data loss event. These backups are stored in secure locations and are subject to the same security measures as our primary data storage systems.

Your Rights under the GDPR

Under the General Data Protection Regulation (GDPR), you have the following rights:

1. Right to Access (Article 15 GDPR):
   You have the right to obtain information on whether we process personal data about you. If this is the case, you can request a copy of the data we hold and further details, such as:

   • The purposes of the data processing
   • The categories of personal data being processed
   • The recipients or categories of recipients to whom the personal data has been or will be disclosed
   • The planned retention period or the criteria used to determine this period
   • The existence of the right to request rectification, erasure, or restriction of processing
   • The right to lodge a complaint with a supervisory authority
   • The source of the data if we did not collect it from you
   • The use of automated decision-making, if applicable

2. Right to Rectification (Article 16 GDPR):
   You have the right to request the correction of inaccurate personal data about you or the completion of incomplete data.

3. Right to Erasure (Article 17 GDPR):
   You have the right to request the deletion of your personal data, commonly referred to as the “right to be forgotten,” if one of the following reasons applies:

   • The data is no longer necessary for the purposes for which it was collected or processed.
   • You withdraw your consent, and there is no other legal basis for processing.
   • You object to the processing, and there are no overriding legitimate grounds for processing.
   • The data was processed unlawfully.
   • The data must be deleted to comply with a legal obligation.

4. Right to Restriction of Processing (Article 18 GDPR):
   You have the right to request the restriction of processing under certain conditions, such as when you contest the accuracy of the data or the legality of the processing.

5. Right to Data Portability (Article 20 GDPR):
   You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to request the transfer of this data to another controller.

6. Right to Object (Article 21 GDPR):
   You have the right to object to the processing of your personal data when processing is based on legitimate interests or is performed for direct marketing purposes.

7. Right to Withdraw Consent (Article 7 GDPR):
   If we process your personal data based on your consent, you have the right to withdraw this consent at any time. The withdrawal of consent does not affect the lawfulness of the processing based on consent before its withdrawal.

8. Right to Lodge a Complaint (Article 77 GDPR):
   If you believe that the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority. In Austria, this is the Data Protection Authority (Datenschutzbehörde). In Germany, there is a data protection officer for each federal state.

   • Austrian Data Protection Authority Contact Details:
     Mag. Dr. Andrea Jelinek (Head of the Authority)
     Address: Barichgasse 40-42, 1030 Vienna, Austria
     Telephone: +43 1 52 152-0
     Email: dsb@dsb.gv.at
     Website: https://www.dsb.gv.at

If you have any questions regarding the processing of your personal data or would like to exercise your rights under the GDPR, please contact the responsible person or entity listed in the Contact Details section above or in our Impressum.