Privacy policy

Preamble

With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also referred to as "data") that we process, for what purposes, and to what extent. The privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and particularly on our websites, in mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as "online offer").

The terms used are not gender-specific.

Status: June 1, 2025

Table of Contents

• Preamble

• Controller

• Overview of Processing

• Relevant Legal Bases

• Security Measures

• Transfer of Personal Data

• International Data Transfers

• General Information on Data Storage and Deletion

• Rights of Data Subjects

• Business Services

• Payment Procedures

• Provision of the Online Offer and Web Hosting

• Use of Cookies

• Blogs and Publication Media

• Contact and Inquiry Management

• Communication via Messenger

• Newsletters and Electronic Notifications

• Contests and Competitions

• Web Analytics, Monitoring, and Optimization

• Online Marketing

• Customer Reviews and Rating Procedures

• Social Media Presence

• Plug-ins and Embedded Functions and Content

• Management, Organization, and Support Tools

• Processing of Data in Employment Contexts

• Changes and Updates

• Definitions

Controller

Ece Erözü / SIRIUS DESIGN STUDIO
Peuerbachstraße 28
4040 Linz, Austria

Email Address: artsirius.design@gmail.com

Overview of Processing

The following overview summarizes the types of data processed and the purposes of their processing, and refers to the data subjects concerned.

Types of Data Processed

• Inventory data.

• Employee data.

• Payment data.

• Contact data.

• Content data.

• Contract data.

• Usage data.

• Meta, communication, and procedural data.

• Log data.

Categories of Data Subjects

• Recipients of services and customers.

• Employees.

• Interested parties.

• Communication partners.

• Users.

• Contest and competition participants.

• Business and contractual partners.

Purposes of Processing

• Provision of contractual services and fulfillment of contractual obligations.

• Communication.

• Security measures.

• Direct marketing.

• Reach measurement.

• Tracking.

• Office and organizational procedures.

• Conversion measurement.

• Audience formation.

• Organizational and administrative procedures.

• Conducting contests and competitions.

• Feedback.

• Marketing.

• Profiles with user-related information.

• Provision of our online offer and user-friendliness.

• Establishment and execution of employment relationships.

• Information technology infrastructure.

• Public relations.

• Business processes and economic procedures.

Relevant Legal Bases

Relevant legal bases under the GDPR: The following provides an overview of the legal bases of the GDPR on which we process personal data. Please note that in addition to the GDPR regulations, national data protection regulations may apply in your or our country of residence or domicile. If specific legal bases are relevant in individual cases, we will inform you of these in the privacy policy.

• Consent (Art. 6(1)(1)(a) GDPR) - The data subject has given consent to the processing of their personal data for one or more specific purposes.

• Contract performance and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR) - The processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.

• Legal obligation (Art. 6(1)(1)(c) GDPR) - The processing is necessary for compliance with a legal obligation to which the controller is subject.

• Legitimate interests (Art. 6(1)(1)(f) GDPR) - The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

• Processing of special categories of personal data related to healthcare, profession, and social security (Art. 9(2)(h) GDPR) - The processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, for medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services based on Union or Member State law or pursuant to a contract with a health professional.

National data protection regulations in Austria: In addition to the GDPR, national data protection regulations apply in Austria. This includes, in particular, the Federal Act on the Protection of Individuals with regard to the Processing of Personal Data (Data Protection Act – DSG). The Data Protection Act contains specific provisions on the right to access, the right to rectification or erasure, the processing of special categories of personal data, the processing for other purposes, and the transfer as well as automated decision-making in individual cases.

Note on the applicability of the GDPR and Swiss DSG: These data protection notices serve both to provide information in accordance with the Swiss DSG and the General Data Protection Regulation (GDPR). Therefore, please note that due to the broader spatial application and understandability, the terms of the GDPR are used. Specifically, instead of the terms "processing" of "personal data", "overriding interest", and "particularly sensitive personal data" used in the Swiss DSG, the terms "processing" of "personal data", "legitimate interest", and "special categories of data" used in the GDPR are applied. The legal significance of the terms is, however, determined by the Swiss DSG within the framework of its applicability.

Security Measures

We take appropriate technical and organizational measures to ensure a level of protection appropriate to the risk, in accordance with legal requirements and considering the state of the art, implementation costs, and the nature, scope, circumstances, and purposes of the processing, as well as the different probabilities of occurrence and the severity of the threat to the rights and freedoms of natural persons.

These measures include, in particular, securing the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as access to the data itself, input, transfer, ensuring availability, and their separation. Furthermore, we have established procedures that ensure the exercise of data subject rights, the deletion of data, and responses to data threats. Additionally, we consider the protection of personal data already during the development or selection of hardware, software, and procedures according to the principle of data protection through technology design and through privacy-friendly default settings.

Securing online connections using TLS/SSL encryption technology (HTTPS): To protect user data transmitted via our online services from unauthorized access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the Internet. These technologies encrypt the information transmitted between the website or app and the user's browser (or between two servers), thereby protecting the data from unauthorized access. TLS, as the more advanced and secure version of SSL, ensures that all data transmissions meet the highest security standards. If a website is secured by an SSL/TLS certificate, this is indicated by the display of HTTPS in the URL. This serves as an indicator for users that their data is being transmitted securely and encrypted.

Transmission of Personal Data

In the course of processing personal data, it may occur that this data is transmitted to other entities, companies, legally independent organizational units, or individuals, or disclosed to them. The recipients of this data can include, for example, service providers tasked with IT responsibilities or providers of services and content integrated into a website. In such cases, we comply with the legal requirements and specifically enter into appropriate contracts or agreements with the recipients of your data to protect your data.

International Data Transfers

Data processing in third countries: If we process data in a third country (i.e., outside the European Union (EU), the European Economic Area (EEA)) or the processing occurs in the context of using third-party services or disclosing or transmitting data to other persons, entities, or companies, this is done only in accordance with legal requirements. Provided that the level of data protection in the third country is recognized by an adequacy decision (Art. 45 GDPR), this serves as the basis for the data transfer. Otherwise, data transfers occur only if the data protection level is otherwise ensured, in particular through standard contractual clauses (Art. 46 para. 2 lit. c GDPR), explicit consent, or in the case of contractual or legally required transfer (Art. 49 para. 1 GDPR). Furthermore, we inform you of the foundations of third-country transfers with the individual providers from the third country, with adequacy decisions being the primary basis. Information on third-country transfers and existing adequacy decisions can be found on the EU Commission's information site: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de.

EU-US Trans-Atlantic Data Privacy Framework: Within the framework of the so-called "Data Privacy Framework" (DPF), the EU Commission has also recognized the level of data protection for certain companies from the USA as secure in the context of the adequacy decision of 10.07.2023. The list of certified companies and further information on the DPF can be found on the website of the US Department of Commerce at https://www.dataprivacyframework.gov/ (in English). We inform you in the context of the data protection notices which service providers we use are certified under the Data Privacy Framework.

General Information on Data Storage and Deletion

We delete personal data that we process in accordance with legal requirements as soon as the consents underlying the processing are revoked or there are no further legal bases for the processing. This applies to cases where the original purpose of the processing ceases to exist or the data is no longer needed. Exceptions to this rule exist when legal obligations or special interests require longer retention or archiving of the data.

In particular, data that must be retained for commercial or tax law reasons or whose storage is necessary for legal prosecution or to protect the rights of other natural or legal persons must be archived accordingly.

Our data protection notices contain additional information on the retention and deletion of data that specifically applies to certain processing operations.

In cases where multiple retention periods or deletion deadlines for data are provided, the longest period is always applicable.

If a period does not expressly start on a specific date and is at least one year, it automatically starts at the end of the calendar year in which the triggering event occurred. In the case of ongoing contractual relationships in which data is stored, the triggering event is the time of the effective termination or other end of the legal relationship.

Data that is no longer needed for the originally intended purpose but is retained due to legal requirements or other reasons is processed solely for the reasons that justify its retention.

Further information on processing operations, procedures, and services:

• Retention and deletion of data: The following general periods apply under Austrian law for retention and archiving:

  • 10 years - Retention period for books and records, annual financial statements, inventories, management reports, opening balances, booking receipts, and invoices as well as all necessary work instructions and other organizational documents (Federal Fiscal Code (BAO §132), Commercial Code (UGB §§190-212)).

  • 6 years - Other business documents: Received commercial or business letters, copies of sent commercial or business letters, and other documents relevant to tax purposes. This includes, for example, hourly wage slips, business accounting sheets, calculation documents, price lists, and payroll documents, unless they are already booking receipts and cash receipts (Federal Fiscal Code (BAO §132), Commercial Code (UGB §§190-212)).

  • 3 years - Data necessary to consider potential warranty and damage claims or similar contractual claims and rights and related inquiries, based on past business experience and common industry practices, are stored for the duration of the regular statutory limitation period of three years (§§ 1478, 1480 ABGB).

​

Rights of Data Subjects

Rights of data subjects under the GDPR: As a data subject, you have various rights under the GDPR, particularly those arising from Art. 15 to 21 GDPR:

• Right to object: You have the right to object at any time, for reasons arising from your particular situation, to the processing of personal data concerning you that is based on Art. 6 para. 1 lit. e or f GDPR; this also applies to profiling based on these provisions. If personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing; this also applies to profiling, insofar as it is related to such direct marketing.

• Right to withdraw consent: You have the right to withdraw consents at any time.

• Right of access: You have the right to request confirmation of whether data concerning you is being processed and to obtain information about this data as well as further information and a copy of the data in accordance with legal requirements.

• Right to rectification: You have the right, in accordance with legal requirements, to request the completion or correction of data concerning you.

• Right to erasure and restriction of processing: You have the right, in accordance with legal requirements, to request that data concerning you be deleted without delay, or alternatively, to request a restriction of the processing of the data in accordance with legal requirements.

• Right to data portability: You have the right to receive the data concerning you that you have provided to us in a structured, commonly used, and machine-readable format, or to request its transfer to another controller, in accordance with legal requirements.

• Right to lodge a complaint with a supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement if you consider that the processing of personal data concerning you infringes the GDPR.

Rights of Data Subjects

Rights of data subjects under the GDPR: Data subjects have various rights under the GDPR, which arise in particular from Articles 15 to 21 of the GDPR:

• Right to Object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you, which is based on Article 6(1)(e) or (f) of the GDPR, including profiling based on those provisions. If your personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.

• Right to Withdraw Consent: You have the right to withdraw your consent at any time.

• Right to Information: You have the right to obtain confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and additional information and copies of the data according to legal requirements.

• Right to Rectification: You have the right, according to legal requirements, to request the completion of your personal data or the rectification of your inaccurate personal data.

• Right to Erasure and Restriction of Processing: You have the right, in accordance with legal requirements, to request the immediate erasure of personal data concerning you or, alternatively, to request the restriction of processing of data according to legal requirements.

• Right to Data Portability: You have the right, according to legal requirements, to receive the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format or to request the transmission of those data to another controller.

• Right to Lodge a Complaint with a Supervisory Authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.

Business Services

We process data of our contractual and business partners, e.g., customers and prospects (collectively referred to as "contractual partners"), within the scope of contractual and comparable legal relationships as well as associated measures and with regard to communication with contractual partners (or pre-contractually), for example, to respond to inquiries.

We use this data to fulfill our contractual obligations. This includes, in particular, obligations to provide the agreed services, any obligations to update, and to remedy warranty and other service disruptions. In addition, we use the data to safeguard our rights and for the purposes of administrative tasks associated with these obligations and corporate organization. Furthermore, we process the data based on our legitimate interests in both proper and business management as well as security measures to protect our contractual partners and our business operations from misuse, safeguarding their data, secrets, information, and rights (e.g., involving telecommunications, transport, and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers, or tax authorities). In the context of the applicable legal provisions, we only pass on data of contractual partners to third parties to the extent that this is necessary for the aforementioned purposes or for the fulfillment of legal obligations. Contractual partners are informed about further processing, e.g., for marketing purposes, within the scope of this data protection declaration.

We inform contractual partners about which data is required for the aforementioned purposes before or in the course of data collection, e.g., in online forms, through special marking (e.g., colors) or symbols (e.g., asterisks or similar), or in person.

We delete the data after the expiration of statutory warranty and comparable obligations, i.e., in principle after four years, unless the data is stored in a customer account, e.g., as long as it must be retained for legal reasons of archiving (usually ten years for tax purposes). Data disclosed to us as part of an order by the contractual partner will be deleted in accordance with the specifications and, in principle, after the end of the order.

• Processed Data Types: Inventory data (e.g., full name, residential address, contact information, customer number, etc.); Payment data (e.g., bank details, invoices, payment history); Contact details (e.g., postal and email addresses or phone numbers); Contract data (e.g., contract object, duration, customer category); Usage data (e.g., page views and duration, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and functions). Meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, involved parties).

• Affected Persons: Service recipients and clients; Prospects. Business and contractual partners.

• Purposes of Processing: Provision of contractual services and fulfillment of contractual obligations; Security measures; Communication; Office and organizational procedures; Organizational and administrative procedures. Business processes and business management procedures.

• Retention and Deletion: Deletion according to information in the section "General information about data storage and deletion".

• Legal Bases: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Additional Notes on Processing Processes, Procedures, and Services:

• Online Shop, Order Forms, E-Commerce, and Delivery: We process the data of our customers to enable them to select, purchase, or order the chosen products, goods, and related services, as well as their payment and delivery or execution. If necessary for the execution of an order, we use service providers, especially postal, freight, and shipping companies, to carry out delivery or execution to our customers. For the processing of payment transactions, we use the services of banks and payment service providers. The required information is marked as such during the ordering or similar purchase process and includes the information required for delivery, provision, and invoicing, as well as contact information to be able to make inquiries if necessary; Legal Bases: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).

• Event Management: We process the data of the participants of the events, events, and similar activities offered or organized by us (hereinafter uniformly referred to as "participants" and "events"), in order to enable them to participate in the events and to take advantage of the services or actions associated with participation.
  
  If we process health-related data, religious, political, or other special categories of data within this framework, this is done within the framework of obviousness (e.g., for thematically oriented events or serves health care, security, or is done with the consent of the data subjects).
  
  The required information is marked as such in the context of the order, order, or similar conclusion of the contract and includes the information required for the provision of services and invoicing, as well as contact information to be able to make inquiries. To the extent that we have access to information from end customers, employees, or other persons, we process this in accordance with legal and contractual requirements; Legal Bases: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).

Payment Processes

As part of contractual and other legal relationships, based on legal obligations or otherwise based on our legitimate interests, we offer the data subjects efficient and secure payment options and for this purpose use additional service providers alongside banks and credit institutions (collectively "payment service providers").

The data processed by the payment service providers includes inventory data, such as the name and address, banking data, such as account numbers or credit card numbers, passwords, TANs, and checksums, as well as contract, amount, and recipient-related information. The information is necessary to carry out the transactions. However, the data entered is only processed and stored by the payment service providers. This means that we do not receive any account- or credit card-related information, but only information confirming or negatively confirming the payment. Under certain circumstances, the data may be transmitted to credit agencies by the payment service providers. This transmission serves identity and credit checks. We refer to the terms and conditions and data protection notices of the payment service providers for this purpose.

The business conditions and data protection notices of the respective payment service providers, which are available on the respective websites or transaction applications, apply to payment transactions. We also refer to these for further information and to exercise revocation, information, and other data subject rights.

• Processed Data Types: Inventory data (e.g., full name, residential address, contact information, customer number, etc.); Payment data (e.g., bank details, invoices, payment history); Contract data (e.g., contract object, duration, customer category); Usage data (e.g., page views and duration, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and functions); Meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, involved parties). Contact details (e.g., postal and email addresses or phone numbers).

• Affected Persons: Service recipients and clients; Business and contractual partners. Prospects.

• Purposes of Processing: Provision of contractual services and fulfillment of contractual obligations. Business processes and business management procedures.

• Retention and Deletion: Deletion according to information in the section "General information about data storage and deletion".

• Legal Bases: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Additional Notes on Processing Processes, Procedures, and Services:

• American Express: Payment services (technical integration of online payment methods); Service Provider: American Express Europe S.A., Theodor-Heuss-Allee 112, 60486 Frankfurt am Main, Germany; Legal Bases: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Website: https://www.americanexpress.com/de/. Privacy Policy: https://www.americanexpress.com/de-de/firma/legal/datenschutz-center/online-datenschutzerklarung/.

• Klarna: Payment services (technical integration of online payment methods); Service Provider: Klarna Bank AB (publ), Sveavägen 46, 111 34 Stockholm, Sweden; Legal Bases: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Website:https://www.klarna.com/de. Privacy Policy:https://www.klarna.com/de/datenschutz.

• Mastercard: Payment services (technical integration of online payment methods); Service Provider: Mastercard Europe SA, Chaussée de Tervuren 198A, B-1410 Waterloo, Belgium; Legal Bases: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Website: https://www.mastercard.de/de-de.html. Privacy Policy:https://www.mastercard.de/de-de/datenschutz.html.

• PayPal: Payment services (technical integration of online payment methods) (e.g., PayPal, PayPal Plus, Braintree); Service Provider: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg; Legal Bases: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Website: https://www.paypal.com/de. Privacy Policy: https://www.paypal.com/de/webapps/mpp/ua/privacy-full.

• Visa: Payment services (technical integration of online payment methods); Service Provider: Visa Europe Services Inc., Branch London, 1 Sheldon Square, London W2 6TT, GB; Legal Bases: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Website: https://www.visa.de; Privacy Policy:https://www.visa.de/nutzungsbedingungen/visa-privacy-center.html. Basis for third-country transfers: Adequacy decision (GB).

Provision of Online Offerings and Web Hosting

We process user data to provide them with our online services. For this purpose, we process the user's IP address, which is necessary to transmit the contents and functions of our online services to the user's browser or device.

• Processed Data Types: Usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types and operating systems, interactions with content and functions); Meta-, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons). Protocol data (e.g., log files regarding logins or data retrieval or access times).

• Affected Persons: Users (e.g., website visitors, users of online services).

• Purposes of Processing: Provision of our online offering and user-friendliness; Information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)). Security measures.

• Storage and Deletion: Deletion according to the information in the section "General Information on Data Storage and Deletion".

• Legal Bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further Information on Processing Processes, Procedures, and Services:

• Provision of Online Offerings on Rented Storage Space: We use storage space, computing capacity, and software provided by a corresponding server provider (also called "web hoster") to provide our online offering; Legal Bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

• Collection of Access Data and Log Files: Access to our online offering is logged in the form of so-called "server log files". Server log files may include the address and name of the accessed websites and files, date and time of access, transmitted data volumes, message about successful retrieval, browser type and version, the user's operating system, referrer URL (the previously visited page), and usually IP addresses and the requesting provider. Server log files may be used for security purposes, e.g., to prevent server overload (especially in the case of abusive attacks, so-called DDoS attacks), and to ensure the load and stability of the servers; Legal Bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Data Deletion: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data whose further retention is necessary for evidentiary purposes are excluded from deletion until the respective incident is finally clarified.

Use of Cookies

Cookies are small text files or other storage marks that store information on end devices and read it from them. For example, to store the login status in a user account, a shopping cart content in an e-shop, the accessed content, or used functions of an online offering. Cookies may also be used for various purposes, such as functionality, security, and convenience of online offerings, as well as for analyzing visitor flows.

Notes on Consent: We use cookies in accordance with legal regulations. Therefore, we obtain prior consent from users, unless it is not required by law. Permission is particularly not necessary if storing and reading information, including cookies, is absolutely necessary to provide users with an explicitly requested telemedia service (i.e., our online offering). Revocable consent is clearly communicated to users and includes information about the respective cookie usage.

Notes on Data Protection Legal Bases: The legal basis on which we process users' personal data using cookies depends on whether we ask for consent. If users accept, the legal basis for using their data is the declared consent. Otherwise, if cookies are used based on our legitimate interests (e.g., in the business operation of our online offering and improving its usability) or if cookie usage is necessary for the fulfillment of our contractual obligations, the data processed using cookies will be processed. We clarify the purposes for which cookies are used in the course of this privacy policy or in the context of our consent and processing processes.

Storage Duration: In terms of storage duration, the following types of cookies are distinguished:

• Temporary Cookies (also: Session Cookies): Temporary cookies are deleted at the latest after a user has left an online offering and closed his device (e.g., browser or mobile application).

• Permanent Cookies: Permanent cookies remain stored even after the device is closed. For example, the login status can be stored and preferred content can be displayed directly when the user revisits a website. Likewise, user data collected using cookies may be used for reach measurement. If we do not provide users with explicit information about the type and storage duration of cookies (e.g., as part of obtaining consent), they should assume that these are permanent and that the storage period can be up to two years.

General Notes on Revocation and Objection (Opt-out): Users can revoke the consents they have given at any time and also object to processing in accordance with legal requirements, including via the privacy settings of their browser.

• Processed Data Types: Meta-, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).

• Affected Persons: Users (e.g., website visitors, users of online services).

• Legal Bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

Further Information on Processing Processes, Procedures, and Services:

• Processing of Cookie Data Based on Consent: We use a consent management solution to obtain user consent for the use of cookies or for the procedures and providers mentioned in the context of the consent management solution. This procedure serves to obtain, log, manage, and revoke consents, especially regarding the use of cookies and similar technologies used to store, read, and process information on users' devices. Within this process, user consent for the use of cookies and the associated processing of information, including the specific processing and providers mentioned in the consent management process, is obtained. Users also have the option to manage and revoke their consents. The consent declarations are stored to avoid repeated requests and to be able to provide evidence of consent in accordance with legal requirements. Storage is done server-side and/or in a cookie (so-called opt-in cookie) or similar technologies to assign consent to a specific user or device. If there are no specific details about the providers of consent management services, the following general information applies: The storage period of the consent is up to two years. A pseudonymous user identifier is created, which is stored together with the time of consent, details of the scope of consent (e.g., relevant categories of cookies and/or service providers), and information about the browser, system, and device used; Legal Bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

Blogs and Publication Media

We use blogs or similar means of online communication and publication (hereinafter "publication medium"). The data of the readers are processed for the purposes of the publication medium only to the extent necessary for its presentation and communication between authors and readers or for security reasons. For further information on the processing of visitors to our publication medium, please refer to the information in this data protection notice.

• Processed Data Types: Inventory data (e.g., full name, residential address, contact information, customer number, etc.); Contact data (e.g., postal and email addresses or telephone numbers); Content data (e.g., textual or pictorial messages and contributions as well as the information concerning them, such as information about authorship or time of creation); Usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types and operating systems, interactions with content and functions). Meta-, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).

• Affected Persons: Users (e.g., website visitors, users of online services).

• Purposes of Processing: Feedback (e.g., collecting feedback via online form). Provision of our online offering and user-friendliness.

• Storage and Deletion: Deletion according to the information in the section "General Information on Data Storage and Deletion".

• Legal Bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Contact and Inquiry Management

When contacting us (e.g., by post, contact form, email, telephone, or via social media) as well as within the scope of existing user and business relationships, the information of the requesting individuals is processed to the extent necessary to respond to the contact inquiries and any requested measures.

• Processed Data Types: Inventory data (e.g., full name, residential address, contact information, customer number, etc.); Contact data (e.g., postal and email addresses or telephone numbers); Content data (e.g., textual or pictorial messages and contributions as well as the information concerning them, such as information about authorship or time of creation); Usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types and operating systems, interactions with content and functions). Meta-, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).

• Affected Persons: Communication partners.

• Purposes of Processing: Communication; Organizational and administrative procedures; Feedback (e.g., collecting feedback via online form). Provision of our online offering and user-friendliness.

• Storage and Deletion: Deletion according to the information in the section "General Information on Data Storage and Deletion".

• Legal Bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).

Further Information on Processing Processes, Procedures, and Services:

• Contact Form: When contacting us via our contact form, email, or other communication channels, we process the personal data transmitted to us to respond to and process the respective request. This typically includes information such as name, contact information, and any other information that is provided to us and necessary for appropriate processing. We use this data exclusively for the stated purpose of contacting and communication; Legal Bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Communication via Messenger

We use messengers for communication purposes and therefore ask you to observe the following notes on the functionality of the messengers, encryption, the use of metadata in communication, and your options for objection.

You can also contact us through alternative means, e.g., via telephone or email. Please use the contact options provided to you or those specified within our online offering.

In the case of end-to-end encryption of content (i.e., the content of your message and attachments), we would like to point out that the communication content (i.e., the content of the message and attached images) is encrypted end-to-end. This means that the content of the messages is not visible, not even by the messenger providers themselves. You should always use an up-to-date version of the messenger with encryption enabled to ensure the encryption of message contents.

However, we would like to additionally inform our communication partners that although the messengers' providers do not view the content, they can find out that and when communication partners communicate with us, as well as technical information about the devices used by communication partners and, depending on their device settings, location information (metadata).

Notes on Legal Bases: If we ask communication partners for permission before communicating with them via messenger, the legal basis for processing their data is their consent. Otherwise, if we do not ask for consent and they contact us, for example, on their own initiative, we use messengers in relation to our contractual partners and as part of contract initiation as a contractual measure and, in the case of other interested parties and communication partners, based on our legitimate interests in rapid and efficient communication and meeting the needs of our communication partners for communication via messenger. Furthermore, we would like to point out that we do not transmit the contact details provided to us to the messengers without your consent.

Revocation, Objection, and Deletion: You can revoke consent given at any time.

• Processed Data Types: Contact data (e.g., postal and email addresses or - This text area must be unlocked with a premium license. - premiumtext premiumtext premiumtext ). Content data (e.g., textual or pictorial messages and contributions as well as the information concerning them, such as information about authorship - This text area must be unlocked with a premium license. - premiumtext premiumtext premiumtext premiumtext premiumtext premiumtext ).

• Affected Persons: Communication partners.

• Purposes of Processing: Communication.

• Storage and Deletion: Deletion according to the information in the section "General Information on Data Storage and Deletion".

• Legal Bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Newsletter and Electronic Notifications

We send newsletters, emails, and other electronic notifications (hereinafter "newsletter") only with the consent of the recipients or based on a legal basis. If the contents of the newsletter are specified within the scope of registration for the newsletter, they are decisive for the consent of the users. Usually, providing your email address is sufficient for subscribing to our newsletter. However, to offer you a personalized service, we may ask for your name for personal addressing in the newsletter or for further information if necessary for the purpose of the newsletter.

Deletion and Restriction of Processing: We may store the unsubscribed email addresses for up to three years based on our legitimate interests before deleting them to be able to provide evidence of previously given consent. The processing of this data is limited to the purpose of potential defense against claims. An individual deletion request is possible at any time, provided that the previous existence of consent is confirmed. In the case of obligations to permanently observe objections, we reserve the right to store the email address solely for this purpose in a blocklist.

The logging of the registration process is based on our legitimate interests for the purpose of proving its proper conduct. If we engage a service provider for email dispatch, this is based on our legitimate interests in an efficient and secure dispatch system.

Contents:

Information about us, our services, promotions, and offers.

• Processed Data Types: Inventory data (e.g., full name, residential address, contact information, customer number, etc.); Contact data (e.g., postal and email addresses or telephone numbers); Meta-, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons). Usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types and operating systems, interactions with content and functions).

• Affected Persons: Communication partners.

• Purposes of Processing: Direct marketing (e.g., via email or postal).

• Storage and Deletion: 3 years - Contractual claims (AT) (Data required to consider potential warranty and damages claims or similar contractual claims and rights, as well as to process related inquiries, based on previous business experience and common industry practices, are stored for the duration of the regular statutory limitation period of three years (§§ 1478, 1480 ABGB).). 10 years - Contractual claims (CH) (Data necessary to consider potential damages claims or similar contractual claims and rights, as well as to process related inquiries, based on previous business experience and common industry practices, are stored for the duration of the statutory limitation period of ten years, unless a shorter period of 5 years applies, which is relevant in certain cases (Art. 127, 130 OR)).

• Legal Bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

• Objection Option (Opt-Out): You can cancel the receipt of our newsletter at any time, i.e., revoke your consent or object to further receipt. A link to unsubscribe from the newsletter can be found either at the end of each newsletter or you can use one of the contact options provided above, preferably email, for this purpose.

Further Information on Processing Processes, Procedures, and Services:

• Measurement of Opening and Click Rates: Newsletters contain a so-called "web beacon," i.e., a pixel-sized file that is retrieved from our or its server when the newsletter is opened, provided we use a dispatch service provider. As part of this retrieval, both technical information such as details about the browser and your system, as well as your IP address and the time of retrieval, are initially collected. These pieces of information are used for the technical improvement of our newsletter based on the technical data or the target groups and their reading behavior determined by their retrieval locations (which can be determined using the IP address) or access times. This analysis also includes determining whether and when newsletters are opened and which links are clicked. The information is assigned to the individual newsletter recipients and stored in their profiles until deleted. The evaluations are used to recognize the reading habits of our users and to adapt our content to them or to send different content according to the interests of our users. The measurement of opening and click rates as well as the storage of the measurement results in the profiles of the users

• Legal Bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

Competitions and Contests

We process personal data of participants in competitions and contests only in compliance with the relevant data protection regulations, to the extent that processing is contractually necessary for the provision, execution, and handling of the competition, participants have consented to the processing, or processing serves our legitimate interests (e.g., in the security of the competition or protecting our interests against abuse through possible capture of IP addresses when submitting competition entries).

If contributions by participants are published within the scope of the competitions (e.g., in the context of a vote or presentation of competition entries or winners, or reporting on the competition), we would like to point out that the names of the participants may also be published in this context. Participants can object to this at any time.

If the competition takes place within an online platform or social network (e.g., Facebook or Instagram, hereinafter referred to as the "Online Platform"), the terms of use and data protection regulations of the respective platforms also apply. In these cases, we would like to point out that we are responsible for the information provided by participants in the context of the competition and inquiries regarding the competition should be directed to us.

The data of the participants will be deleted as soon as the competition or contest is over and the data are no longer necessary to inform the winners or because no further inquiries about the competition are expected. In principle, the data of the participants will be deleted no later than 6 months after the end of the competition. Data of the winners may be retained for a longer period, for example, to answer inquiries about the prizes or to fulfill the prize obligations; in this case, the retention period depends on the type of prize and may be up to three years, for example, for items or services to handle warranty cases. Furthermore, the data of the participants may be stored longer, for example, in the form of reporting on the competition in online and offline media.

If data were collected for other purposes within the scope of the competition, their processing and retention period are based on the data protection notices for this use (e.g., in the case of registering for a newsletter as part of a competition).

• Processed Data Types: Inventory data (e.g., full name, residential address, contact information, customer number, etc.); Contact data (e.g., postal and email addresses or telephone numbers). Content data (e.g., textual or pictorial messages and contributions as well as the information concerning them, such as authorship details or creation time).

• Affected Persons: Competition and contest participants.

• Purposes of Processing: Conducting competitions and contests.

• Storage and Deletion: Deletion according to information in the section "General Information on Data Storage and Deletion".

• Legal Bases: Contractual performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Web Analysis, Monitoring, and Optimization

Web analysis (also referred to as "reach measurement") is used to evaluate the visitor flows of our online offering and may include behavior, interests, or demographic information about visitors, such as age or gender, as pseudonymous values. With the help of reach analysis, for example, we can determine at what time our online offering or its functions or content are most frequently used or invite reuse. Likewise, we can understand which areas need optimization.

In addition to web analysis, we can also use test procedures to test and optimize different versions of our online offering or its components.

Unless otherwise specified below, for these purposes, profiles, i.e., data summarized to a usage process, can be created and information can be stored in a browser or on a device and then read. The information collected includes, in particular, visited websites and elements used there, as well as technical information, such as the browser used, the computer system used, and information about usage times. If users have consented to the collection of their location data to us or to the providers of the services we use, the processing of location data is also possible.

In addition, the IP addresses of the users are stored. However, we use an IP masking procedure (i.e., pseudonymization by shortening the IP address) to protect the users. Generally, no clear data of the users (such as email addresses or names) are stored in the context of web analysis, A/B testing, and optimization, but pseudonyms. This means that neither we nor the providers of the software used know the actual identity of the users, but only the information stored in their profiles for the purpose of the respective procedures.

Notes on Legal Bases: If we ask users for their consent to the use of third-party providers, the legal basis for data processing is consent. Otherwise, user data is processed based on our legitimate interests (i.e., interest in efficient, economic, and user-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.

• Processed Data Types: Usage data (e.g., page views and visit duration, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and functions). Meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, involved individuals).

• Affected Persons: Users (e.g., website visitors, users of online services).

• Purposes of Processing: Reach measurement (e.g., access statistics, detection of recurring visitors). Profiles with user-related information (creation of user profiles).

• Storage and Deletion: Deletion according to information in the section "General Information on Data Storage and Deletion". Storage of cookies for up to 2 years (Unless otherwise stated, cookies and similar storage methods can be stored on users' devices for a period of two years).

• Security Measures: IP masking (pseudonymization of the IP address).

• Legal Bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further notes on processing procedures, methods, and services:

• Google Tag Manager: We use Google Tag Manager, a software from Google that allows us to manage so-called website tags centrally via a user interface. Tags are small code elements on our website used to capture and analyze visitor activities. This technology helps us improve our website and the content offered on it. The Google Tag Manager itself does not create user profiles, store cookies with user profiles, or perform independent analyses. Its function is limited to simplifying and making the integration and management of tools and services we use on our website more efficient. Nevertheless, when using Google Tag Manager, the IP address of users is transmitted to Google, which is technically necessary to implement the services we use. Cookies may also be set in the process. However, this data processing only occurs if services are integrated via the Tag Manager. For more detailed information on these services and their data processing, please refer to the relevant sections of this privacy policy; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website:https://marketingplatform.google.com; Privacy Policy:https://policies.google.com/privacy; Data Processing Agreement:
  https://business.safety.google/adsprocessorterms. Basis for Third-Country Transfers: Data Privacy Framework (DPF).

Online Marketing

We process personal data for the purpose of online marketing, which includes, in particular, the marketing of advertising space or the display of advertising and other content (collectively referred to as "Content") based on potential user interests, as well as measuring their effectiveness.

For these purposes, so-called user profiles are created and stored in a file (the so-called "cookie") or similar methods are used, by means of which the information relevant to the user for the display of the aforementioned content is stored. This can include, for example, viewed content, visited websites, used online networks, as well as communication partners and technical information such as the browser used, the operating system used, and information about usage times and functions used. If users have consented to the collection of their location data, these may also be processed.

In addition, the IP addresses of users are stored. However, we use available IP masking methods (i.e., pseudonymization by shortening the IP address) for user protection. In general, no clear data of users (such as email addresses or names) are stored as part of the online marketing process, but pseudonyms. This means that neither we nor the providers of the online marketing processes know the actual user identity, but only the information stored in their profiles.

Statements in the profiles are usually stored in cookies or similar methods. These cookies can generally also be read on other websites that use the same online marketing process, analyzed for the purpose of displaying content, supplemented with additional data, and stored on the server of the online marketing process provider.

Exceptionally, it is possible to assign clear data to the profiles, primarily when users are, for example, members of a social network whose online marketing processes we use and the network links the user profiles with the aforementioned information. Please note that users can make additional agreements with the providers, for example, by consenting during registration.

In general, we only have access to aggregated information about the success of our advertisements. However, we can check, as part of so-called conversion tracking, which of our online marketing processes led to a so-called conversion, i.e., for example, to a contract conclusion with us. Conversion tracking is used solely for the success analysis of our marketing measures.

Unless otherwise stated, please assume that cookies used will be stored for a period of two years.

Notes on Legal Bases: If we ask users for their consent to the use of third-party providers, the legal basis for data processing is permission. Otherwise, user data is processed based on our legitimate interests (i.e., interest in efficient, economic, and user-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.

Notes on Revocation and Objection:

We refer to the data protection information of the respective providers and the objection options (so-called "opt-out") provided for the providers. If no explicit opt-out option has been specified, there is the possibility, on the one hand, that you can deactivate cookies in the settings of your browser. However, this may limit the functionality of our online offering. Therefore, we also recommend the following opt-out options, which are summarily offered for respective areas:

a) Europe: https://www.youronlinechoices.eu.

b) Canada: https://www.youradchoices.ca/choices.

c) USA: https://www.aboutads.info/choices.

d) Across territories: https://optout.aboutads.info.

• Processed data types: Usage data (e.g., page views and duration of visit, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and functions). Meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, individuals involved).

• Affected individuals: Users (e.g., website visitors, users of online services).

• Purposes of processing: Reach measurement (e.g., access statistics, identification of recurring visitors); Tracking (e.g., interest-/behavior-based profiling, use of cookies); Audience targeting; Marketing; Profiles with user-related information (creation of user profiles). Conversion tracking (measurement of the effectiveness of marketing measures).

• Storage and deletion: Deletion according to information in the section "General information on data storage and deletion". Storage of cookies for up to 2 years (Unless otherwise specified, cookies and similar storage methods can be stored on users' devices for a period of two years.).

• Security measures: IP masking (pseudonymization of IP address).

• Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Additional information on processing procedures, methods, and services:

• Google Ads and Conversion Tracking: Online marketing method for the purpose of placing content and ads within the service provider's advertising network (e.g., in search results, in videos, on websites, etc.), so that they are displayed to users who have a presumed interest in the ads. In addition, we measure the conversion of the ads, i.e., whether users have used them as an opportunity to interact with the ads and use the advertised offers (so-called conversions). However, we only receive anonymous information and no personal information about individual users; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://marketingplatform.google.com; Privacy Policy:https://policies.google.com/privacy; Basis for transfers to third countries: Data Privacy Framework (DPF); Additional information:Types of processing and data processed: https://business.safety.google/adsservices/. Data processing terms between controllers and standard contractual clauses for third-country transfers of data: https://business.safety.google/adscontrollerterms.

• ​