Privacy Policy

Introduction and Overview

We have drafted this privacy policy (version 23.05.2025-113001726) to explain to you, in accordance with the provisions of the General Data Protection Regulation (EU) 2016/679 and applicable national laws, which personal data (short: data) we, as data controllers — and the processors we have commissioned (e.g. providers) — process, will process in the future, and the legal options you have. The terms used are to be understood as gender-neutral.

In short: We inform you comprehensively about the data we process about you.

Privacy policies usually sound very technical and use legal terminology. This privacy policy, however, aims to describe the most important points to you as simply and transparently as possible. Where it enhances transparency, technical terms will be explained in a user-friendly way, links to further information will be provided, and graphics will be used. In clear and simple language, we explain that we only process personal data in the course of our business activities when there is a legal basis for doing so. That is not possible if explanations are as brief, unclear, and legally-technical as is often the case on the internet when it comes to data protection. We hope you find the following explanations interesting and informative, and perhaps you’ll learn something new.

If you still have questions, please contact the data controller mentioned below or in the imprint, follow the available links, and consult additional information on third-party sites. You can of course also find our contact details in the imprint.

Scope of Application

This privacy policy applies to all personal data processed by us within the company and to all personal data processed by companies we commission (processors). By personal data, we mean information within the meaning of Art. 4 No. 1 GDPR such as a person’s name, email address, and postal address. The processing of personal data ensures that we can offer and bill our services and products — whether online or offline. The scope of this privacy policy includes:

  • all online presences (websites, online shops) that we operate
  • social media presences and email communication
  • mobile apps for smartphones and other devices

In short: The privacy policy applies to all areas in which personal data is processed in a structured way via the aforementioned channels in the company. Should we enter into legal relationships with you outside these channels, we will inform you separately if necessary.

Legal Bases

In this privacy policy, we provide you with transparent information on the legal principles and regulations — that is, the legal bases of the General Data Protection Regulation — that allow us to process personal data.

As far as EU law is concerned, we refer to REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016. You can, of course, read this EU General Data Protection Regulation online at EUR-Lex, the access point to EU law: https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex%3A32016R0679

We only process your data if at least one of the following conditions applies:

  1. Consent (Article 6(1)(a) GDPR): You have given us your consent to process data for a specific purpose. An example would be the storage of your input from a contact form.
  2. Contract (Article 6(1)(b) GDPR): To fulfill a contract or pre-contractual obligations with you, we process your data. For example, if we enter into a purchase agreement with you, we need personal information in advance.
  3. Legal Obligation (Article 6(1)(c) GDPR): If we are subject to a legal obligation, we process your data. For example, we are legally obliged to retain invoices for accounting purposes. These typically contain personal data.
  4. Legitimate Interests (Article 6(1)(f) GDPR): In the case of legitimate interests that do not override your fundamental rights, we reserve the right to process personal data. For example, we need to process certain data to operate our website safely and efficiently, which constitutes a legitimate interest.

Other conditions such as processing in the public interest or the exercise of official authority, and the protection of vital interests, generally do not apply to us. If such a legal basis does apply, it will be indicated at the relevant point.

In addition to the EU regulation, national laws also apply:

  • In Austria, this is the Federal Act concerning the Protection of Natural Persons with regard to the Processing of Personal Data (Data Protection Act), abbreviated DSG.
  • In Germany, the Federal Data Protection Act (BDSG) applies.

If further regional or national laws apply, we will inform you in the following sections.

Contact Details of the Controller

If you have questions about data protection or the processing of personal data, you will find below the contact details of the controller in accordance with Article 4(7) GDPR:

Commercial Advisory & Technology – CAT
Berggasse 7/3.1
1090 Vienna
Austria
Authorized representative: Dr. Stummer Otto

E-Mail: office@consos.net

Imprint: https://commercial-technical-advisory.at/imprint/

Storage Duration

As a general rule, we only store personal data for as long as it is absolutely necessary to provide our services and products. This means that we delete personal data as soon as the reason for processing the data no longer exists. In some cases, we are legally obliged to retain certain data even after the original purpose no longer applies — for example, for accounting purposes.

If you request deletion of your data or revoke your consent to data processing, the data will be deleted as quickly as possible, provided there is no legal obligation to retain it.

We will inform you further below about the specific duration of the respective data processing, if additional information is available.

Rights Under the General Data Protection Regulation

According to Articles 13 and 14 of the GDPR, we inform you of the following rights you have to ensure fair and transparent data processing:

  • Right of Access (Article 15 GDPR): You have the right to know whether we are processing data about you. If so, you have the right to receive a copy of the data and learn the following:
    • the purpose of the processing;
    • the categories of personal data being processed;
    • the recipients of the data and, if transferred to third countries, how security is guaranteed;
    • the duration of data storage;
    • the existence of rights to rectification, erasure, restriction of processing, and objection to processing;
    • that you have the right to lodge a complaint with a supervisory authority (links below);
    • the source of the data, if not collected from you;
    • whether profiling is carried out (i.e., whether data is automatically evaluated to create a personal profile of you).
  • Right to Rectification (Article 16 GDPR): You have the right to have incorrect data corrected.
  • Right to Erasure (Article 17 GDPR): Also known as the “right to be forgotten,” you may request deletion of your data.
  • Right to Restriction of Processing (Article 18 GDPR): You can request that we only store your data and not use it further.
  • Right to Data Portability (Article 20 GDPR): We must provide your data to you in a common format upon request.
  • Right to Object (Article 21 GDPR): You can object to the processing of your data, which may result in a change in processing:
    • If the processing is based on Article 6(1)(e) (public interest, exercise of official authority) or Article 6(1)(f) (legitimate interest), you can object to the processing. We will review whether we can legally comply with your objection as quickly as possible.
    • If data is used for direct marketing, you can object at any time. We may then no longer use your data for direct marketing.
    • If data is used for profiling, you can also object at any time. We may then no longer use your data for profiling.
  • Right Not to be Subject to Automated Decision-Making (Article 22 GDPR): Under certain circumstances, you have the right not to be subject to decisions based solely on automated processing (e.g., profiling).
  • Right to Lodge a Complaint (Article 77 GDPR): If you believe that the processing of your personal data violates the GDPR, you can complain to a supervisory authority at any time.

In short: You have rights — don’t hesitate to contact the data controller listed above!

If you believe that your data is being processed unlawfully or that your data protection rights have been violated in some other way, you can lodge a complaint with the supervisory authority. In Austria, this is the Austrian Data Protection Authority, whose website is https://www.dsb.gv.at. In Germany, each federal state has its own data protection commissioner. For more information, you can contact the Federal Commissioner for Data Protection and Freedom of Information (BfDI). The local supervisory authority responsible for our company is:

Austrian Data Protection Authority
Director: Dr. Matthias Schmidl
Address: Barichgasse 40-42, 1030 Vienna
Phone: +43 1 52 152-0
Email: dsb@dsb.gv.at
Website: https://www.dsb.gv.at/

Security of Data Processing

To protect personal data, we have implemented both technical and organizational measures. Where possible, we encrypt or pseudonymize personal data. This makes it as difficult as possible, within our means, for third parties to infer personal information from our data.

Article 25 GDPR refers to “data protection by design and by default” — meaning that both software (e.g., forms) and hardware (e.g., server room access) should always be designed with security in mind and appropriate measures should be taken. Below, we will describe specific measures where necessary.

TLS Encryption with HTTPS

TLS, encryption, and HTTPS sound very technical — and they are. We use HTTPS (Hypertext Transfer Protocol Secure) to transmit data securely over the internet.

This means that the entire transmission of data from your browser to our web server is secured — no one can “listen in.”

By doing this, we have added an extra layer of security and comply with data protection by design (Article 25(1) GDPR). Using TLS (Transport Layer Security), a cryptographic protocol for secure data transmission on the internet, we can ensure the confidentiality of sensitive data.

You can recognize the use of this secure data transmission by the small lock symbol 🔒 in the upper left corner of your browser, to the left of the web address (e.g., example.com), and the use of the https schema (instead of http) as part of our internet address.

If you want to learn more about encryption, we recommend searching for “Hypertext Transfer Protocol Secure wiki” on Google to find good links with further information.

Communication

Communication Summary

  • Data Subjects: Anyone who communicates with us via telephone, email, or online form
  • Processed Data: e.g., phone number, name, email address, entered form data. More details can be found for each communication method.
  • Purpose: Handling communication with customers, business partners, etc.
  • Storage Duration: Duration of the business case and in accordance with legal requirements
  • Legal Bases: Article 6(1)(a) GDPR (Consent), Article 6(1)(b) GDPR (Contract), Article 6(1)(f) GDPR (Legitimate Interests)

When you contact us via phone, email, or online form, personal data may be processed.

This data is processed to handle and process your request and the related business transaction. The data is stored for as long as necessary or as long as legally required.

Affected Persons

This applies to anyone who contacts us via the communication methods we provide.

Telephone

When you call us, call data is pseudonymously stored on the respective device and by the telecommunications provider used. Additionally, data such as your name and phone number may be sent via email and stored for response purposes. The data is deleted once the business case is completed and legal retention periods allow.

Email

When you communicate with us via email, data may be stored on the respective device (computer, laptop, smartphone, etc.) and on the email server. The data is deleted once the business case is completed and legal retention periods allow.

Online Forms

When you communicate with us via an online form, data is stored on our web server and may be forwarded to an email address of ours. The data is deleted once the business case is completed and legal retention periods allow.

Legal Bases

The processing of data is based on the following legal bases:

  • Article 6(1)(a) GDPR (Consent): You give us consent to store and use your data for the purposes related to the business case;
  • Article 6(1)(b) GDPR (Contract): It is necessary for fulfilling a contract with you or a processor, such as the telephone provider, or we need the data for pre-contractual activities such as preparing an offer;
  • Article 6(1)(f) GDPR (Legitimate Interests): We want to conduct customer inquiries and business communication in a professional manner. This requires technical tools such as email programs, exchange servers, and mobile providers to ensure efficient communication.

Data Processing Agreement (DPA)

In this section, we want to explain what a Data Processing Agreement (DPA) is and why it is necessary. Since “Data Processing Agreement” is quite a mouthful, we will also often use the abbreviation DPA throughout this text. Like most companies, we do not work alone but use services from other companies or individuals. By involving various companies or service providers, we may transmit personal data for processing. These partners act as processors, with whom we sign a contract — the so-called Data Processing Agreement (DPA). The most important thing for you to know is that the processing of your personal data is carried out exclusively according to our instructions and must be governed by the DPA.

Who are processors?

As a company and website operator, we are responsible for all data we process about you. In addition to controllers, there may also be so-called processors. This includes any company or person who processes personal data on our behalf. More precisely and according to the GDPR definition: any natural or legal person, authority, agency, or other body that processes personal data on behalf of the controller is considered a processor. Processors can include service providers like hosting or cloud providers, payment or newsletter providers, or large companies such as Google or Microsoft.

To better understand the terminology, here’s an overview of the three roles under the GDPR:

  • Data Subject (you as a customer or prospect) →
  • Controller (us as the company and contracting entity) →
  • Processor (service providers such as web hosts or cloud providers)

Contents of a Data Processing Agreement

As mentioned above, we have signed a DPA with our partners who act as processors. This contract stipulates that the processor will process the data exclusively in accordance with the GDPR. The contract must be concluded in writing, although electronic completion also counts as “in writing” in this context. Only on the basis of this contract may the processing of personal data take place. The contract must include the following:

  • Binding to us as the controller
  • Duties and rights of the controller
  • Categories of data subjects
  • Type of personal data
  • Nature and purpose of data processing
  • Subject matter and duration of processing
  • Place of data processing

The contract also includes all obligations of the processor. The most important obligations are:

  • Ensuring data security measures
  • Taking possible technical and organizational measures to protect the rights of the data subject
  • Maintaining a record of processing activities
  • Cooperating with the supervisory authority upon request
  • Performing a risk analysis regarding the received personal data
  • Engaging subcontractors only with the controller’s written consent

To see what such a DPA looks like, you can view a sample contract here (German only):
https://www.wko.at/service/wirtschaftsrecht-gewerberecht/eu-dsgvo-mustervertrag-auftragsverarbeitung.html

Cookies

Cookies Summary

  • Data Subjects: Website visitors
  • Purpose: Depends on the specific cookie. More details are provided below or by the software provider that sets the cookie.
  • Processed Data: Depends on the specific cookie. More details are provided below or by the software provider that sets the cookie.
  • Storage Duration: Varies by cookie, from hours to years
  • Legal Bases: Article 6(1)(a) GDPR (Consent), Article 6(1)(f) GDPR (Legitimate Interests)

What are Cookies?

Our website uses HTTP cookies to store user-specific data. Below, we explain what cookies are and why they are used so that this privacy policy is easier to understand.

Whenever you browse the internet, you use a browser. Common browsers include Chrome, Safari, Firefox, Internet Explorer, and Microsoft Edge. Most websites store small text files in your browser — these are called cookies.

There’s no denying it: cookies are helpful little tools. Almost all websites use cookies. More specifically, they use HTTP cookies, as there are also other types of cookies for other application areas. HTTP cookies are small files that our website stores on your computer. These cookie files are automatically placed in the cookie folder, the “brain” of your browser. A cookie consists of a name and a value. When defining a cookie, one or more attributes must also be specified.

Cookies store certain user data, such as language or personal site settings. When you revisit our site, your browser transmits the “user-specific” information back to our site. Thanks to cookies, our website knows who you are and offers you the settings you are used to. In some browsers, each cookie has its own file; in others like Firefox, all cookies are stored in one single file.

The following graphic illustrates a possible interaction between a web browser (e.g., Chrome) and a web server. The browser requests a website and receives a cookie from the server, which the browser reuses for any future page requests.

There are both first-party cookies and third-party cookies. First-party cookies are created directly by our site, while third-party cookies are created by partner websites (e.g., Google Analytics). Each cookie must be evaluated individually, as each stores different data. Cookie expiration dates also vary from a few minutes to several years. Cookies are not software programs and do not contain viruses, Trojans, or other malware. Cookies also cannot access information on your PC.

Here’s an example of cookie data:

  • Name: _ga
  • Value: GA1.2.1326744211.152113001726-9
  • Purpose: Distinguishes website visitors
  • Expiration: After 2 years

Minimum sizes a browser should support:

  • At least 4096 bytes per cookie
  • At least 50 cookies per domain
  • At least 3000 cookies in total

What Types of Cookies Are There?

The types of cookies we use specifically depend on the services used and are detailed in the following sections of this privacy policy. At this point, we would like to briefly explain the different types of HTTP cookies.

There are four types of cookies:

  1. Essential Cookies
    These cookies are necessary to ensure basic website functions. For example, they are required when a user adds a product to the shopping cart, continues browsing on other pages, and only checks out later. These cookies prevent the cart from being deleted, even if the user closes the browser window.
  2. Functional Cookies
    These cookies collect information about user behavior and whether the user receives error messages. They also measure load times and website behavior across different browsers.
  3. Performance Cookies
    These cookies enhance user-friendliness. For example, they store entered locations, font sizes, or form data.
  4. Advertising Cookies
    Also known as targeting cookies, they aim to deliver personalized advertising to the user. This can be very useful — but also quite annoying.

Usually, when you first visit a website, you are asked which of these types of cookies you want to allow. Of course, this decision is also stored in a cookie.

If you want to learn more about cookies and are not intimidated by technical documentation, we recommend:
https://datatracker.ietf.org/doc/html/rfc6265
— the Request for Comments of the Internet Engineering Task Force (IETF) titled “HTTP State Management Mechanism.”

Purpose of Processing via Cookies

The purpose ultimately depends on the respective cookie. More details can be found below or from the software provider that set the cookie.

What Data Is Processed?

Cookies are small helpers for many different tasks. Unfortunately, it’s not possible to generalize what data cookies store — but we will inform you below in this privacy policy about the data that is processed or stored.

Storage Duration of Cookies

The storage duration depends on the specific cookie and will be explained below. Some cookies are deleted after less than an hour, while others may be stored on your computer for several years.

You also have influence over storage duration. You can delete all cookies manually at any time via your browser (see below under “Right to Object”). Additionally, cookies based on your consent are deleted at the latest when you revoke your consent — without affecting the legality of the storage prior to revocation.

Right to Object – How Can I Delete Cookies?

You can decide whether and how you want to use cookies. Regardless of the service or website they come from, you always have the option to delete, disable, or allow only certain cookies. For example, you can block cookies from third parties but allow all other cookies.

If you want to find out which cookies are stored in your browser, change cookie settings, or delete them, you can do this in your browser settings:

  • Chrome: Delete, activate, and manage cookies in Chrome
  • Safari: Manage cookies and website data with Safari
  • Firefox: Delete cookies to remove website data stored on your computer
  • Internet Explorer: Delete and manage cookies
  • Microsoft Edge: Delete and manage cookies

If you generally don’t want any cookies, you can set your browser to notify you whenever a cookie is to be set. This way, you can decide individually for each cookie whether to allow it or not. The process varies by browser. The best way is to search Google for “delete cookies Chrome” or “disable cookies Chrome” if you’re using Chrome.

Legal Basis

Since 2009, there have been so-called “Cookie Directives.” These stipulate that storing cookies requires your consent (Article 6(1)(a) GDPR). However, EU countries have responded differently to these directives. In Austria, the directive was implemented in Section 165(3) of the Telecommunications Act (2021). In Germany, the directive was not implemented as national law. Instead, it was largely integrated into Section 15(3) of the Telemedia Act (TMG), which has been replaced by the Digital Services Act (DDG) as of May 2024.

For strictly necessary cookies — even without consent — there are legitimate interests (Article 6(1)(f) GDPR), which are mostly economic in nature. We want to provide visitors to the website with a pleasant user experience, and certain cookies are often essential for that.

If non-essential cookies are used, this only happens with your explicit consent. The legal basis for this is Article 6(1)(a) GDPR.

In the following sections, you will receive more detailed information about the use of cookies if the software used utilizes cookies.

Web Hosting Introduction

Web Hosting Summary

  • Data Subjects: Website visitors
  • Purpose: Professional hosting of the website and operational security
  • Processed Data: IP address, time of website visit, browser used, and more. Details can be found below or with the respective web hosting provider.
  • Storage Duration: Depends on the provider, usually 2 weeks
  • Legal Basis: Article 6(1)(f) GDPR (Legitimate Interests)

What is Web Hosting?

Whenever you visit websites today, some information — including personal data — is automatically created and stored. This also applies to our website. Such data should be processed as sparingly and justifiably as possible. By “website,” we mean the entirety of all pages on a domain, i.e., everything from the homepage to the very last subpage (like this one). A “domain” might be, for example, example.com.

To view a website on a computer, tablet, or smartphone, you use a program called a web browser. You probably know several by name: Google Chrome, Microsoft Edge, Mozilla Firefox, and Apple Safari.

To display the website, the browser must connect to another computer where the website’s code is stored — the web server. Operating a web server is a complex task, so it is usually handled by professional providers. These providers offer web hosting and ensure reliable and error-free storage of website data.

When your browser on your computer (desktop, laptop, tablet, or smartphone) connects to the web server and data is transmitted back and forth, personal data may be processed. On the one hand, your computer stores data, and on the other, the web server must store data for a period to ensure proper operation.

A picture is worth a thousand words, so the following graphic illustrates the interaction between browser, internet, and hosting provider.

 

Why Do We Process Personal Data?

The purposes of data processing include:

  1. Professional hosting of the website and ensuring operational security
  2. Maintaining operational and IT security
  3. Anonymous analysis of access behavior to improve our offer and, if necessary, to enable law enforcement or the assertion of claims

What Data Is Processed?

Even while you’re visiting our website right now, our web server — the computer on which this website is stored — usually automatically stores data such as:

  • the full internet address (URL) of the accessed web page
  • browser and browser version (e.g., Chrome 87)
  • the operating system used (e.g., Windows 10)
  • the address (URL) of the previously visited page (referrer URL) (e.g., https://www.examplesource.com/whereicamefrom/)
  • the hostname and IP address of the device from which access is made (e.g., COMPUTERNAME and 194.23.43.121)
  • date and time

This data is stored in files called web server log files.

How Long Are Data Stored?

Generally, the above-mentioned data are stored for two weeks and then automatically deleted. We do not share this data, but we cannot rule out the possibility that this data may be viewed by authorities in the event of unlawful behavior.

In short: Your visit is logged by our provider (the company that runs our website on special computers — servers), but we do not pass on your data without your consent!

Legal Basis

The lawful processing of personal data in the context of web hosting is based on Article 6(1)(f) GDPR (legitimate interests), as using professional hosting by a provider is necessary to securely and user-friendly present our business on the internet and to be able to pursue any claims or prevent attacks arising from this.

A data processing agreement (DPA) in accordance with Article 28 et seq. GDPR is usually concluded between us and the hosting provider, ensuring data protection compliance and guaranteeing data security.

Website Builder Systems Introduction

Website Builder Systems Privacy Policy Summary

  • Data Subjects: Website visitors
  • Purpose: Optimization of our service
  • Processed Data: Data such as technical usage information like browser activity, clickstream activities, session heatmaps, contact data, IP address, or geographic location. More details can be found below and in the provider’s privacy policy.
  • Storage Duration: Depends on the provider
  • Legal Bases: Article 6(1)(f) GDPR (Legitimate Interests), Article 6(1)(a) GDPR (Consent)

What Are Website Builder Systems?

We use a website builder system for our website. Website builders are a special form of content management system (CMS). With such a system, website operators can create a website very easily and without programming knowledge. In many cases, web hosts also offer builder systems. When using a builder, your personal data may also be collected, stored, and processed. In this privacy policy section, we provide general information about data processing by builder systems. Further details can be found in the privacy policies of the providers.

Why Do We Use Website Builder Systems for Our Website?

The greatest advantage of a website builder system is its ease of use. We want to provide you with a clear, simple, and well-structured website that we can manage and maintain ourselves — without external support. A builder system now offers many helpful features that we can use without programming knowledge. This allows us to design our web presence as we wish and provide you with an informative and enjoyable experience on our website.

What Data Is Stored by a Website Builder System?

The exact data stored depends, of course, on the website builder system used. Each provider collects and processes different user data. However, technical usage information such as operating system, browser, screen resolution, language and keyboard settings, hosting provider, and the date of your website visit is typically collected. Additionally, tracking data (e.g., browser activity, clickstream activities, session heatmaps, etc.) may be processed. Personal data may also be collected and stored — typically contact data like email address, phone number (if you’ve provided it), IP address, and geographic location data. You can find out what specific data is stored in the provider’s privacy policy.

How Long and Where Is the Data Stored?

We will inform you below — where available — about the duration of data processing in connection with the website builder used. The provider’s privacy policy generally contains detailed information. In general, we process personal data only as long as absolutely necessary to provide our services and products. However, the provider may store your data at their own discretion, over which we have no influence.

Right to Object

You always have the right to access, rectify, and delete your personal data. For questions, you can also contact the responsible parties of the builder system used at any time. Their contact details can be found either in our privacy policy or on the respective provider’s website.

Cookies used by providers for their functions can be deleted, deactivated, or managed in your browser. Depending on the browser used, this works in different ways. Please note, however, that some features may no longer work as expected afterward.

Legal Basis

We have a legitimate interest in using a website builder system to optimize our online services and to present them efficiently and appealingly to you. The corresponding legal basis is Article 6(1)(f) GDPR (legitimate interests). However, we only use the builder system to the extent you have given your consent.

If data processing is not absolutely necessary for the operation of the website, it is only carried out based on your consent. This particularly applies to tracking activities. In such cases, the legal basis is Article 6(1)(a) GDPR.

With this privacy policy, we’ve provided the most important general information about data processing. If you would like more detailed information, you will find further details — if available — in the following section or in the provider’s privacy policy.

 

WordPress.com Privacy Policy

WordPress.com Privacy Policy Summary

  • Data Subjects: Website visitors
  • Purpose: Optimization of our service
  • Processed Data: Data such as technical usage information like browser activity, clickstream activities, session heatmaps, as well as contact data, IP address, or geographic location. More details are provided below.
  • Storage Duration: Depends primarily on the type of data stored and the specific settings
  • Legal Bases: Article 6(1)(a) GDPR (Consent), Article 6(1)(f) GDPR (Legitimate Interests)

What is WordPress?

We use the well-known content management system WordPress.com for our website. The service provider is the American company Automattic Inc., 60 29th Street #343, San Francisco, CA 94110, USA.

Founded in 2003, the company quickly developed into one of the most popular CMS platforms worldwide. A CMS (Content Management System) is software that helps us design and structure our website. The content can include text, audio, and video.

By using WordPress, your personal data may also be collected, stored, and processed. Typically, technical data such as operating system, browser, screen resolution, or hosting provider is stored — but personal data like your IP address, geographic data, or contact details may also be processed.

Why Do We Use WordPress on Our Website?

While we have many strengths, programming isn’t one of our core skills. Still, we want to offer you a powerful and appealing website that we can manage ourselves. Thanks to WordPress, we don’t need to be programming experts to do that. Its ease of use and comprehensive functionality allow us to create and manage our web presence exactly how we want — and deliver a great user experience.

What Data Is Processed by WordPress?

Non-personal data includes technical usage details like:

  • browser activity
  • clickstream activities
  • session heatmaps
  • data about your computer, operating system, browser, screen resolution, language, and keyboard settings
  • internet provider
  • date of website visit

Personal data that may be collected includes:

  • contact data (email address or phone number, if provided)
  • IP address
  • geographic location

WordPress may also use cookies to collect data, such as which subpages you visit, how long you stay on them, when you leave a page (bounce rate), or your preferences (e.g., language). WordPress uses this data to better tailor its marketing to your interests and behavior.

WordPress can also use technologies such as pixel tags (web beacons) to uniquely identify you and possibly offer interest-based advertising.

 

How Long and Where Is the Data Stored?

The storage duration of the data depends on various factors, primarily the type of data and the specific website settings. Generally, WordPress deletes data when it is no longer needed for their purposes. However, exceptions exist — particularly when legal obligations require longer retention.

Web server logs that include your IP address and technical data are deleted by WordPress/Automattic after 30 days. During this period, Automattic uses the data to analyze traffic across its websites (e.g., all WordPress sites) and to fix potential problems.

Deleted content on WordPress websites is stored in the trash for 30 days to allow for recovery. After that, it may still be found in backups and caches until these are also deleted. The data is stored on Automattic’s servers in the USA.

How Can I Delete My Data or Prevent Storage?

You always have the right to access your personal data and object to its use and processing. You can also file a complaint with a data protection authority at any time.

In your browser, you can manage, delete, or disable cookies at any time. Please note that deleting or disabling cookies may negatively impact some functions of our WordPress site. The way cookie management works depends on the browser you use. You’ll find help with this in the “Cookies” section above.

Legal Basis

If you have given your consent for the use of WordPress, the legal basis for data processing is that consent (Article 6(1)(a) GDPR).

We also have a legitimate interest in using WordPress to optimize our online service and present it attractively for you. The relevant legal basis here is Article 6(1)(f) GDPR (legitimate interests). We only use WordPress if you have given your consent.

WordPress (Automattic) also processes your data in the USA. Automattic is an active participant in the EU-US Data Privacy Framework, which regulates the secure transfer of personal data of EU citizens to the US. More information can be found at:
https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en

Automattic also uses Standard Contractual Clauses (SCCs) under Article 46(2) and (3) GDPR. These are model contracts provided by the European Commission to ensure your data complies with European privacy standards, even if it is processed and stored in third countries like the US. You can view the decision and SCC templates here:
https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=en

More details about WordPress’s privacy practices can be found here:
https://automattic.com/privacy/

 

Data Processing Agreement (DPA) with WordPress.com

In accordance with Article 28 of the General Data Protection Regulation (GDPR), we have concluded a Data Processing Agreement (DPA) with WordPress.com. You can read more about what a DPA entails in our general section above titled “Data Processing Agreement (DPA).”

This agreement is legally required because WordPress.com processes personal data on our behalf. It specifies that WordPress.com may only process the data they receive from us based on our instructions and must comply with the GDPR. The link to WordPress.com’s DPA is available at:
https://wordpress.com/support/data-processing-agreements/

Cookie Consent Management Platform Introduction

Cookie Consent Management Platform Summary

  • Data Subjects: Website visitors
  • Purpose: Collecting and managing consent for certain cookies and tools
  • Processed Data: Data for managing cookie settings such as IP address, time of consent, type of consent, individual consents. More details are provided for the specific tool used.
  • Storage Duration: Depends on the tool used, but can span several years
  • Legal Bases: Article 6(1)(a) GDPR (Consent), Article 6(1)(f) GDPR (Legitimate Interests)

What is a Cookie Consent Management Platform (CMP)?

We use a Consent Management Platform (CMP) on our website, which helps us and you to correctly and securely handle the scripts and cookies we use. The software automatically creates a cookie pop-up, scans and monitors all scripts and cookies, provides the legally required cookie consent mechanism, and helps both you and us keep track of all cookies. Most CMP tools identify and categorize all existing cookies. You as a website visitor then decide which scripts and cookies you allow.

The following graphic shows the relationship between browser, web server, and CMP.

Why Do We Use a Cookie Management Tool?

Our goal is to offer you the greatest possible transparency in terms of data protection. Moreover, we are legally required to do so. We want to inform you about all tools and cookies that store or process your data. It is your right to decide which cookies you accept and which you do not. To grant you this right, we first need to know which cookies are on our site. Thanks to a cookie management tool that regularly scans the site for all cookies, we know exactly what is present and can inform you in a GDPR-compliant manner. The consent system then allows you to accept or reject cookies.

 

What Data Is Processed?

With our cookie management tool, you can manage each cookie individually and have full control over the storage and processing of your data. Your declaration of consent is stored so that we don’t have to ask for it again every time you visit our website and to ensure that we can prove your consent if legally required. This consent is stored either in an opt-in cookie or on a server.

Depending on the provider of the cookie management tool, your cookie consent may be stored for up to two years. Typically, the following data is stored:

  • a pseudonymous user ID
  • timestamp of consent
  • details on cookie categories or tools allowed
  • browser and device information

Duration of Data Processing

We inform you below — if we have additional information — about the duration of data processing. In general, we process personal data only as long as it is absolutely necessary to provide our services and products. Cookies are stored for different lengths of time. Some are deleted immediately after leaving the website, while others can remain stored in your browser for several years.

The exact duration of data processing depends on the tool used. Typically, you should expect a storage duration of several years. Detailed information on the duration is usually found in the respective provider’s privacy policy.

Right to Object

You also have the right and the option to revoke your consent to the use of cookies at any time. This can be done through our cookie management tool or via other opt-out options. For example, you can also prevent data collection via cookies by managing, deactivating, or deleting cookies in your browser.

For more information on specific cookie management tools, refer to the following sections, if available.

Legal Basis

If you consent to cookies, personal data is processed and stored via those cookies. If we are permitted to use cookies based on your consent (Article 6(1)(a) GDPR), this consent is also the legal basis for the use of cookies and the processing of your data.

In order to manage your cookie consent and enable consent at all, we use a cookie consent management platform. Using this software allows us to operate the website in a legally compliant and efficient way — which constitutes a legitimate interest (Article 6(1)(f) GDPR).

 

Security & Anti-Spam

Security & Anti-Spam Privacy Policy Summary

  • Data Subjects: Website visitors
  • Purpose: Cybersecurity
  • Processed Data: Data such as your IP address, name, or technical data like browser version. More details are provided below and in the individual privacy policies.
  • Storage Duration: Most data is stored as long as necessary for the service
  • Legal Bases: Article 6(1)(a) GDPR (Consent), Article 6(1)(f) GDPR (Legitimate Interests)

What is Security & Anti-Spam Software?

Security and anti-spam software help protect both you and us from spam or phishing emails and other cyberattacks. Spam refers to unsolicited advertising emails sent in bulk — also called junk mail — which can cause costs. Phishing emails, on the other hand, are messages designed to build trust through fake communications or websites to steal personal data.

Anti-spam software typically blocks unwanted spam messages or malicious emails that may try to inject viruses into our systems. We also use general firewall and security systems that protect our computers from unauthorized network attacks.

Why Do We Use Security & Anti-Spam Software?

We place great importance on security — not just for ourselves but especially for you. Cyber threats have unfortunately become part of everyday life in the world of IT and the internet. Hackers frequently attempt to access personal data through cyberattacks. Therefore, having a strong defense system is absolutely essential.

A security system monitors all incoming and outgoing connections to our network or computers. To further increase cybersecurity, we also use external security services in addition to the standardized protection on our devices. These services help block unauthorized data traffic and protect us from cybercrime.

What Data Is Processed by Security & Anti-Spam Software?

The specific data collected and stored depends on the service in question. We always aim to use software that collects as little data as possible and only what is necessary to provide the offered service. Generally, the service may store:

  • name
  • address
  • IP address
  • email address
  • technical data like browser type or version
  • log and performance data

These data are processed according to service contracts and legal requirements — including compliance with the GDPR via standard contractual clauses (for US providers). These security services may work with third parties that store and/or process data according to instructions and in line with data protection and security policies. Data storage is usually done via cookies.

 

Duration of Data Processing

We will inform you further below — where more information is available — about the duration of data processing. For example, security programs may store data until either you or we revoke the storage. In general, personal data is stored only as long as it is absolutely necessary to provide the respective services. In many cases, unfortunately, providers do not give precise details about storage durations.

Right to Object

You always have the right and the option to revoke your consent to the use of cookies or third-party security services. This can be done through our cookie management tool or via other opt-out features. For example, you can prevent data collection via cookies by managing, deactivating, or deleting cookies in your browser.

Since security services may also use cookies, we recommend that you read our general cookie privacy section. To find out exactly which data about you is stored and processed, you should consult the respective privacy policies of the tools used.

Legal Basis

We primarily use security services based on our legitimate interest (Article 6(1)(f) GDPR) in having a secure system to protect against various cyber threats.

Certain processes — particularly the use of cookies and security functions — require your consent. If you have consented to allow security services to process and store your data, that consent is the legal basis for the data processing (Article 6(1)(a) GDPR). Most of the services we use store cookies in your browser to collect data. That’s why we strongly recommend reviewing our full cookie privacy section as well as the privacy policies or cookie guidelines of the individual service providers.

For details on specific tools, please refer to the sections below (if available).

Web Design Introduction

Web Design Privacy Policy Summary

  • Data Subjects: Website visitors
  • Purpose: Enhancing user experience
  • Processed Data: Depends heavily on the tools used — typically includes IP address, technical data, language settings, browser version, screen resolution, and browser name. More details can be found under each web design tool used.
  • Storage Duration: Depends on the tools used
  • Legal Bases: Article 6(1)(a) GDPR (Consent), Article 6(1)(f) GDPR (Legitimate Interests)

What Is Web Design?

We use various tools on our website that support our web design. Web design doesn’t just mean that a website looks nice — it also involves functionality and performance. A professional design ensures both aesthetic appeal and user-friendliness.

Web design is a sub-field of media design and deals with the visual, structural, and functional layout of websites. The goal is to improve your experience on our site — in web design terms, this is referred to as User Experience (UX) and Usability. Usability is about ensuring that content, subpages, or products are clearly structured so that users can find what they need quickly and easily.

To provide the best possible user experience, we also use third-party web design tools. In this privacy policy, “web design” refers to all services that visually enhance our site — for example, fonts, plugins, or other integrated features.

Why Do We Use Web Design Tools?

How you perceive and absorb information on a website depends heavily on the structure, functionality, and visual presentation of the site. That’s why good, professional web design has become increasingly important to us. We constantly work on improving our website, and we see this as an extended service for you as a visitor. A well-designed and smoothly functioning website also has economic benefits for us — after all, you’re more likely to visit us and use our services if you feel comfortable.

What Data Is Stored by Web Design Tools?

When you visit our website, web design elements may be integrated into our pages that also process data. The exact data processed depends on the tools used. Further down, you will find which tools we use on our website. We recommend reading the individual privacy policies of those tools for more detailed information.

Typically, the following are automatically transmitted to the provider’s servers, especially when using web fonts like Google Fonts:

  • language settings
  • IP address
  • browser version
  • screen resolution
  • browser name

Duration of Data Processing

How long data is processed varies depending on the web design elements in use. If cookies are used, storage duration can range from a single minute to several years. Please check the specific duration in the cookie section and in the privacy policies of the respective tools. For example, Google font files are stored for one year to improve website load times.

In general, data is stored only as long as necessary to provide the service. In some cases, legal regulations may require longer storage durations.

Right to Object

You always have the right and the option to revoke your consent to the use of cookies or third-party services. This can be done either via our cookie management tool or other opt-out mechanisms. You can also manage or delete cookies directly in your browser. However, some web design elements (especially fonts) involve data that cannot be easily deleted, as it is automatically collected and transmitted to third-party providers when the page loads. In such cases, please contact the respective provider’s support. For Google, you can use the support page:
https://support.google.com/?hl=en

Legal Basis

If you have consented to the use of web design tools, that consent is the legal basis for the data processing (Article 6(1)(a) GDPR).

We also have a legitimate interest in improving the design of our website — after all, we want to provide a pleasant and professional online presence. The corresponding legal basis is Article 6(1)(f) GDPR (legitimate interests). However, we only use web design tools with your consent — we emphasize that again here.

You can find more information about specific web design tools — if available — in the following sections.

 

Google Fonts Local Privacy Policy

We use Google Fonts by Google Inc. on our website. For the European region, the responsible entity is Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland).

We have integrated the Google Fonts locally — meaning they are stored on our own web server, not on Google’s servers. Therefore, there is no connection to Google servers and no data transmission or storage by Google.

What Are Google Fonts?

Previously known as Google Web Fonts, this is an interactive directory of over 800 fonts provided by Google free of charge. With Google Fonts, one can normally use fonts without uploading them to their own server. However, to completely prevent the transfer of information to Google, we have downloaded and hosted the fonts locally. This ensures we are acting in a privacy-compliant manner and do not send any data to Google Fonts.

Explanation of Terms Used

We always strive to write our privacy policy as clearly and understandably as possible. However, especially with technical and legal topics, this is not always easy. It often makes sense to use legal terms (e.g., personal data) or specific technical terms (e.g., cookies, IP address). We don’t want to use them without explanation.

Below is an alphabetical list of important terms we’ve used in this privacy policy that may not have been sufficiently explained:

Processor
Definition according to Article 4 GDPR:
A “processor” is a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.

Consent
Definition according to Article 4 GDPR:
“Consent” of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes, by which they signify agreement to the processing of personal data relating to them.

Personal Data
Definition according to Article 4 GDPR:
“Personal data” means any information relating to an identified or identifiable natural person — i.e., someone who can be identified directly or indirectly.

Examples include:

  • Name
  • Address
  • Email address
  • Postal address
  • Telephone number
  • Birthdate
  • National ID numbers, bank account details, etc.
    Even IP addresses are considered personal data under EU law.

Profiling
Definition according to Article 4 GDPR:
“Profiling” refers to any automated processing of personal data to evaluate personal aspects, such as behavior, preferences, or location.

Controller
Definition according to Article 4 GDPR:
“Controller” means the person or entity that determines the purposes and means of processing personal data.

Processing
Definition according to Article 4 GDPR:
“Processing” means any operation performed on personal data — from collection and storage to use and deletion.

All texts are protected by copyright.
Source: Privacy policy created using the data protection generator for Austria by AdSimple
https://www.adsimple.at/datenschutz-generator/