Privacy Policy

Introduction and Overview

We have written this privacy policy (version dated 13.02.2025-112947836) to explain to you, in accordance with the requirements of the General Data Protection Regulation (EU) 2016/679 and applicable national laws, which personal data (short: data) we — as the controller — and our contracted processors (e.g. hosting providers) process, will process in the future, and what lawful options you have. All terms used are intended to be understood in a gender-neutral manner.
In short: We provide comprehensive information about the data we process about you.

Privacy policies usually sound very technical and use legal terminology. However, this privacy policy aims to explain the most important aspects as clearly and transparently as possible. Where it helps transparency, technical terms are explained in a reader-friendly way, links to further information are provided, and graphics may be used. We want to communicate in plain and simple language that we only process personal data within our business activities when there is a legal basis to do so. This is not achievable by using overly brief, unclear, or legally-technical explanations — as often seen on the internet.
We hope you find the following information interesting and informative. If you have any further questions, please contact the responsible party listed below or in the legal notice (Impressum), follow the available links, or refer to third-party websites. Our contact details are also listed in the legal notice.

Scope

This privacy policy applies to all personal data processed by us in the company and to all personal data processed by companies commissioned by us (processors). By personal data, we mean information as defined in Article 4 No. 1 GDPR, such as names, email addresses, and postal addresses of individuals. The processing of personal data ensures that we can provide and bill for our services and products — whether online or offline.
This privacy policy applies to:

• all online presences (websites, online shops) we operate
• social media presences and email communications
• mobile apps for smartphones and other devices

In short: The privacy policy applies to all areas where we process personal data in a structured manner through the channels mentioned above. If we enter into legal relations with you outside of these channels, we will inform you separately if necessary.

Legal Bases

In the following privacy policy, we provide transparent information about the legal principles and regulations — the legal bases of the GDPR — that allow us to process personal data.
With regard to EU law, we refer to REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016. You can read this EU General Data Protection Regulation online at EUR-Lex, the EU law portal, at https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex%3A32016R0679.

We only process your data if at least one of the following conditions applies:

1. Consent (Article 6(1)(a) GDPR): You have given us your consent to process data for a specific purpose. An example would be storing your entered data in a contact form.
2. Contract (Article 6(1)(b) GDPR): We process your data to fulfill a contract or pre-contractual obligations with you. For example, when concluding a purchase contract with you, we need personal information in advance.
3. Legal Obligation (Article 6(1)(c) GDPR): If we are subject to a legal obligation, we process your data. For example, we are legally required to keep invoices for accounting purposes, which usually contain personal data.
4. Legitimate Interests (Article 6(1)(f) GDPR): In cases of legitimate interests that do not override your fundamental rights, we reserve the right to process personal data. For instance, we need to process certain data to operate our website securely and efficiently — this processing is thus a legitimate interest.

Other conditions such as the performance of tasks in the public interest or the protection of vital interests generally do not apply to us. If such a legal basis should apply, it will be stated at the relevant point.

In addition to the EU regulation, national laws also apply:

• In Austria, this is the Data Protection Act (Datenschutzgesetz, DSG).
• In Germany, the Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG).

If further regional or national laws apply, we will inform you in the following sections.

Contact Details of the Responsible Party

If you have questions about data protection or the processing of personal data, you will find the contact details of the responsible party according to Article 4(7) GDPR below:
Monon e.U.
Ingeborg Patsch
Schönebenweg 293, 5733 Bramberg, Austria

Email: inge@monon.eu
Phone: +43 6641201682
Legal notice: https://www.monon.eu/impressum/

Data Retention

As a general rule, we only store personal data for as long as is absolutely necessary to provide our services and products. This means that we delete personal data as soon as the reason for data processing no longer exists. In some cases, we are legally obligated to retain certain data even after the original purpose no longer applies — for example, for accounting purposes.

If you request the deletion of your data or revoke your consent to data processing, we will delete the data as quickly as possible, provided there is no obligation to retain it.

Where applicable, we inform you below about the specific duration of individual data processing activities, if further information is available.

Your Rights under the General Data Protection Regulation

According to Articles 13 and 14 GDPR, you have the following rights to ensure fair and transparent data processing:

• Right of Access (Article 15 GDPR): You have the right to know whether we are processing your personal data. If we are, you may request a copy of the data and information such as:
  • The purpose of processing
  • The categories of data processed
  • The recipients of the data, and if data is transferred to third countries, how protection is ensured
  • The duration of data storage
  • The existence of the right to rectification, deletion, or restriction of processing, and the right to object to the processing
  • That you have the right to lodge a complaint with a supervisory authority
  • The origin of the data, if not collected directly from you
  • Whether profiling is used to create a personal profile of you
• Right to Rectification (Article 16 GDPR): You have the right to correct incorrect personal data.
• Right to Erasure (“Right to be Forgotten”, Article 17 GDPR): You have the right to request deletion of your personal data.
• Right to Restriction of Processing (Article 18 GDPR): You have the right to restrict processing so that we may only store data but not use it.
• Right to Data Portability (Article 20 GDPR): Upon request, we must provide your data in a commonly used format.
• Right to Object (Article 21 GDPR):
  • If data processing is based on Article 6(1)(e) (public interest or exercise of official authority) or Article 6(1)(f) (legitimate interest), you may object. We will assess whether we can comply with your objection based on legal grounds.
  • If data is used for direct marketing, you may object at any time. We will then no longer use your data for such purposes.
  • If data is used for profiling, you may object at any time. We will then cease profiling using your data.
• Right not to be subject to automated decision-making (Article 22 GDPR): You have the right not to be subject to a decision based solely on automated processing, including profiling.
• Right to Lodge a Complaint (Article 77 GDPR): If you believe that our processing of your personal data violates data protection law or your rights, you may file a complaint with a data protection authority.

In short: You have rights — don’t hesitate to contact us using the details above!

If you believe that your data is being processed unlawfully or that your rights under data protection law have been violated, you can file a complaint with a supervisory authority. In Austria, the competent authority is:

Austrian Data Protection Authority

Head: Dr. Matthias Schmidl
Address: Barichgasse 40-42, 1030 Vienna, Austria

Email: dsb@dsb.gv.at
Phone: +43 1 52 152-0
Website: https://www.dsb.gv.at/

Data Security Measures

To protect personal data, we have implemented both technical and organizational measures. Where possible, we encrypt or pseudonymize personal data. Within our capabilities, this makes it as difficult as possible for third parties to identify personal information.

Article 25 GDPR refers to “data protection by design and by default,” which means that security must be a consideration in both software (e.g. forms) and hardware (e.g. server room access). Below, we may outline specific measures if applicable.

TLS Encryption with HTTPS

TLS, encryption, and HTTPS all sound very technical—and they are. We use HTTPS (Hypertext Transfer Protocol Secure) to ensure that data is securely transmitted over the internet.

This means the entire transfer of data from your browser to our web server is secured—no one can “listen in.”
This adds an additional layer of security and helps us fulfill the requirement for data protection by design (Article 25(1) of the GDPR). By using TLS (Transport Layer Security), a protocol for secure data transmission on the internet, we can ensure the protection of confidential information.

You can recognize the use of this secure transmission by the small lock symbol in the top left corner of your browser, to the left of the website address (e.g., examplepage.com), and by the use of “https” (instead of “http”) as part of our web address.

If you’d like to learn more about encryption, we recommend searching Google for “Hypertext Transfer Protocol Secure wiki” to find good links to further information.

Communication

Communication Summary 👥 Affected individuals: Anyone communicating with us via phone, email, or online forms 📓 Data processed: e.g., phone number, name, email address, data entered into forms. More details depend on the communication method used 🤝 Purpose: Managing communication with customers, business partners, etc. 📅 Storage duration: For the duration of the business case and as required by law ⚖️ Legal basis: Art. 6(1)(a) GDPR (consent), Art. 6(1)(b) GDPR (contract), Art. 6(1)(f) GDPR (legitimate interests)

When you contact us via phone, email, or online form, personal data may be processed.
This data is used to handle and respond to your inquiry and the related business process. It is stored only as long as necessary for this purpose or as legally required.

Affected Individuals

All individuals who use the communication channels we provide are affected by these processes.

Phone

When you call us, the call data is stored pseudonymously on the relevant device and by the telecommunications provider. Additionally, information such as your name and phone number may be sent via email and stored for inquiry processing. This data is deleted once the business case is completed and legal requirements allow.

Email

When you communicate with us via email, data may be stored on the respective device (computer, laptop, smartphone, etc.) and also on the email server. This data is deleted once the business case is closed and legal retention periods allow.

Online Forms

When you contact us using an online form, data is stored on our web server and may be forwarded to one of our email addresses. The data is deleted once the business case is closed and in accordance with legal requirements.

Legal Basis

Data processing is based on the following legal grounds:

• Art. 6(1)(a) GDPR (Consent): You give us consent to store and use your data for purposes related to the business case.
• Art. 6(1)(b) GDPR (Contract): Data processing is necessary to fulfill a contract with you or with a data processor, such as a telecom provider, or for pre-contractual measures like preparing an offer.
• Art. 6(1)(f) GDPR (Legitimate Interests): We aim to conduct customer service and business communication professionally. To do so, we require certain technical tools such as email programs, Exchange servers, and mobile operators to ensure efficient communication.

Data Processing Agreement (DPA)

In this section, we’d like to explain what a Data Processing Agreement (DPA) is and why it’s needed. Since “Data Processing Agreement” can be a bit of a mouthful, we’ll often refer to it here simply as DPA.

Like most businesses, we don’t work alone—we also use the services of other companies or individuals. When we share personal data with these service providers, they act as data processors. With each of them, we sign a DPA.

The most important thing for you to know: the processing of your personal data is carried out solely based on our instructions and is governed by this agreement.

Who Are Data Processors?

As a company and website owner, we are responsible for all the data we process from you.
In addition to the controller (that’s us), there may be so-called data processors. This includes any company or individual who processes personal data on our behalf.

More precisely, under the GDPR definition: any natural or legal person, authority, institution, or other entity that processes personal data on our behalf is considered a data processor.

Data processors can include service providers such as hosting or cloud providers, payment or newsletter services, or large companies like Google or Microsoft.

Here’s an overview of the three key roles in GDPR:

Data subject (you, the customer or interested party) → Controller (us, the business/website owner) → Data processor (e.g., web hosting provider, cloud service).

What a DPA Must Contain

As mentioned earlier, we have signed a DPA with all partners acting as data processors. This agreement ensures that the data processor processes data exclusively according to the GDPR.

The contract must be in writing—though an electronic version also counts as written form.
Only once the agreement is in place may personal data be processed.

The DPA must include the following:

• Binding the processor to us as the controller
• The duties and rights of the controller
• Categories of data subjects
• Types of personal data
• The nature and purpose of data processing
• Subject and duration of data processing
• Location of data processing

Additionally, the agreement contains all duties of the data processor. Key duties include:

• Ensuring data security measures
• Taking technical and organizational steps to protect the rights of data subjects
• Maintaining a record of processing activities
• Cooperating with data protection authorities upon request
• Conducting a risk analysis related to the personal data received
• Engaging subcontractors only with our written permission

You can view an example of such a DPA (in German) here:
WKO Sample DPA

Cookies

Summary of Cookies 👥 Affected parties: Visitors to the website 🤝 Purpose: Depends on the specific cookie. More details can be found below or from the provider of the software that sets the cookie. 📓 Data processed: Depends on the cookie used. More details can be found below or from the software provider. 📅 Storage duration: Varies depending on the cookie; can range from hours to years ⚖️ Legal basis: Art. 6(1)(a) GDPR (consent), Art. 6(1)(f) GDPR (legitimate interests)

What are cookies?

Our website uses HTTP cookies to store user-specific data.
Below, we explain what cookies are and why they are used to help you better understand this privacy policy.

Whenever you browse the internet, you use a browser—like Chrome, Safari, Firefox, Internet Explorer, or Microsoft Edge. Most websites store small text files in your browser. These are called cookies.

Let’s face it: cookies are extremely useful little helpers. Almost all websites use them. More specifically, we use HTTP cookies, as there are also other types for different uses.
HTTP cookies are small files saved by our website on your computer. These files are automatically stored in the cookie folder—essentially the “memory” of your browser. A cookie consists of a name and a value, and it can also include one or more attributes.

Cookies store certain information about you—such as language preferences or personalized settings. When you return to our site, your browser sends back the relevant information so that the site recognizes you and provides your usual settings.
In some browsers, each cookie has its own file; in others (like Firefox), all cookies are stored in a single file.

Here’s an illustration of how a browser (e.g. Chrome) interacts with a web server: the browser requests a website and receives a cookie, which it then sends back with future requests.

First-party and third-party cookies

There are both first-party cookies, which are set by our site, and third-party cookies, which are set by partner websites (e.g., Google Analytics).
Each cookie must be evaluated individually, as each stores different data. Cookie expiration times also vary—from a few minutes to several years. Cookies are not software programs and do not contain viruses, trojans, or other malware. They also cannot access information on your computer.

An example of cookie data:

Name: _ga
Wert: GA1.2.1326744211.152112947836-9
Purpose: Distinguishes website visitors
Expiration: After 2 years

Minimum browser support for cookies:

• At least 4096 bytes per cookie
• At least 50 cookies per domain
• At least 3000 cookies in total

What types of cookies are there?

Which cookies we use depends on the services in use and is explained in detail later in this privacy policy.

But here is a brief overview of the four types of HTTP cookies:

Essential cookies
Required for core website functions. For example, these cookies remember products added to your cart even if you continue browsing or close your browser window.

Functional cookies
Collect information about user behavior and any error messages. They also help measure loading times and browser compatibility.

Preference cookies
Enhance user experience—for example, by saving entered locations, font sizes, or form data

Marketing cookies
Also called targeting cookies. Used to display personalized ads. These can be helpful but also intrusive.

When you visit a website for the first time, you’re usually asked which cookie types you’d like to allow. Your preferences are also stored in a cookie.

If you’d like to dive deeper into the technical side of cookies, we recommend:
https://datatracker.ietf.org/doc/html/rfc6265, the Request for Comments document from the Internet Engineering Task Force (IETF) titled “HTTP State Management Mechanism.”

Purpose of processing via cookies

The exact purpose depends on the specific cookie. More information can be found below or from the provider of the software that sets the cookie.

What data is processed?

Cookies serve many different purposes. The specific data stored in cookies varies. We’ll inform you of the types of data processed in the following sections of this privacy policy.

How long are cookies stored?

Storage duration depends on the cookie and is detailed further down. Some cookies are deleted within an hour; others may remain stored for several years.

You can influence how long cookies are stored. You can manually delete all cookies through your browser settings at any time (see below under “Right to Object”).
Cookies that rely on consent are deleted as soon as that consent is withdrawn—though the lawfulness of data storage prior to that point remains unaffected.

Right to object – How can I delete cookies?

You control whether and how cookies are used. Regardless of which website or service sets them, you can delete, disable, or allow cookies selectively.
For instance, you can block third-party cookies while allowing all others.

To see which cookies are stored in your browser, or to change/delete settings, follow these guides:

Chrome: Delete, enable, and manage cookies in Chrome

Safari: Manage cookies and website data in Safari

Firefox: Delete cookies to remove site data stored on your computer

Internet Explorer: Delete and manage cookies

Microsoft Edge: Delete and manage cookies

You can also set your browser to always notify you before a cookie is set—allowing you to decide on a case-by-case basis.
The exact steps vary by browser; just search for “delete cookies Chrome” or “disable cookies Chrome” in Google for instructions.

Legal Basis

Since 2009, so-called “cookie guidelines” have required user consent (Art. 6(1)(a) GDPR) for storing cookies.
Different EU countries have implemented this rule in various ways.

• Austria: Implemented via § 165(3) of the Telecommunications Act (2021)
• Germany: Not implemented as national law, but incorporated into § 15(3) of the Telemedia Act (TMG), now replaced in May 2024 by the Digital Services Act (DDG)

Essential cookies can still be used without consent if a legitimate interest exists (Art. 6(1)(f) GDPR)—usually of a business nature, e.g., ensuring a smooth user experience.

All non-essential cookies are only used if you give explicit consent. The legal basis here is Art. 6(1)(a) GDPR.

In the following sections, you will be informed in more detail about which cookies are used—if the software deployed uses cookies.

Web Hosting – Introduction

Web Hosting Summary 👥 Affected: Website visitors 🤝 Purpose: Professional hosting of the website and securing operations 📓 Data processed: IP address, time of website visit, browser used, and other data. More details can be found below or from the respective web hosting provider. 📅 Storage duration: Depends on the provider, usually around 2 weeks ⚖️ Legal basis: Art. 6(1)(f) GDPR (legitimate interests)

What is web hosting?

When you visit websites today, certain information—including personal data—is automatically generated and stored. This also applies to this website. Such data should always be processed sparingly and only when justified.

By “website,” we mean all web pages under one domain, from the homepage to the very last subpage (like this one). A domain might be something like example.com or mywebsite.org.

To view a website on a computer, tablet, or smartphone, you use a web browser—examples include Chrome, Safari, Firefox, Internet Explorer, and Microsoft Edge.

To display the website, your browser connects to another computer where the website’s code is stored—this is called a web server. Hosting a web server is a complex task and is usually handled by professional providers. These companies offer web hosting services, ensuring reliable and error-free storage of website data.

During the connection between your browser and the web server, personal data may be processed. Your computer stores data, and the web server may also temporarily store data to ensure smooth operation.

The following graphic illustrates how the browser, the internet, and the hosting provider interact (not included here).

Why do we process personal data?

The purposes are:

1. Professional hosting and ensuring the functionality of the website
2. Maintaining operational and IT security
3. Anonymous analysis of access behavior to improve our offering, and if needed, for prosecution or legal enforcement

What data is processed?

Even now, as you browse our website, our web server typically stores the following data automatically in so-called web server log files:

• Full URL of the accessed page
• Browser and version (e.g. Chrome 87)
• Operating system used (e.g. Windows 10)
• Referrer URL (the previous page you visited)
• Hostname and IP address of the accessing device
• Date and time of access

How long is the data stored?

This data is usually stored for about two weeks and then automatically deleted. We do not share this data, but cannot exclude the possibility that it could be viewed by authorities in the event of unlawful behavior.

In short: Your visit is logged by our provider (the company that runs the server), but we do not pass on your data without consent.

Legal basis

The lawful processing of personal data in the context of web hosting is based on Art. 6(1)(f) GDPR (legitimate interest), as using a professional hosting provider is necessary for operating a secure and user-friendly website and for defending against or pursuing claims.

We also have a data processing agreement (DPA) in place with the hosting provider in accordance with Art. 28 GDPR, ensuring data protection and security.

External Hosting Provider

Below are the contact details of our external hosting provider, where you can find more information:

Maxer Host Limited
71 Lower Baggot Street
Dublin, D02 P593, IRELAND

You can find more about data processing by this provider in their privacy policy.

Website Builder Systems – Introduction

Website Builder Privacy Summary 👥 Affected: Website visitors 🤝 Purpose: Optimization of our service 📓 Data processed: Technical usage data (browser activity, clickstream, session heatmaps), contact data, IP address, geographic location. More details below or in the provider’s privacy policy. 📅 Storage duration: Depends on the provider ⚖️ Legal basis: Art. 6(1)(f) GDPR (legitimate interests), Art. 6(1)(a) GDPR (consent)

What are website builder systems?

We use a website builder system for our website. These systems are a special type of content management system (CMS). They allow users to easily build and manage a website without programming knowledge. Many web hosting providers also offer website builders.

By using such systems, personal data may be collected, stored, and processed. This section provides general information; for details, please refer to the provider’s privacy policy.

Why do we use a website builder?

The biggest benefit is ease of use. We want to offer you a clear and accessible website that we can manage ourselves—without needing external help.
Website builders now include many useful features that can be used without technical skills. This allows us to design our site according to our needs and offer you a pleasant, informative experience.

What data is collected by a website builder?

The exact data depends on the provider, but generally includes:

• Technical usage info (e.g. operating system, browser, screen resolution, language/keyboard settings, hosting provider, date of visit)
• Tracking data (e.g. browser activity, clickstream data, session heatmaps)
• Personal data (e.g. email address, phone number—if entered—IP address, and geographic location)

More details can be found in the privacy policy of the specific provider.

How long and where is the data stored?

Storage duration depends on the specific system used. We provide further details where possible below.
Generally, personal data is only processed as long as necessary for providing our services.
However, some providers may store your data according to their own policies—which we cannot control.

Right to object

You have the right to access, correct, or delete your personal data at any time.
For questions, you can contact the provider directly. Contact details are in our privacy policy or on the provider’s website.

Cookies used by the builder’s system can be deleted, disabled, or managed via your browser settings.
Please note: disabling cookies may limit some website functions.

Legal basis

We have a legitimate interest in using a website builder system to optimize and present our online services effectively and accessibly.
Legal basis: Art. 6(1)(f) GDPR.
We only use tracking or non-essential features if you have given consent.
In those cases, the legal basis is Art. 6(1)(a) GDPR.

This privacy notice summarizes the key information regarding data processing.
For more details, please refer to the sections below or the provider’s own privacy policy.

WordPress.com Privacy Policy

Summary 👥 Affected individuals: Website visitors 🤝 Purpose: Optimization of our services 📓 Data processed: Technical usage data (browser activity, clickstream behavior, session heatmaps), contact details, IP address, geographic location. More details can be found below in this privacy policy. 📅 Storage duration: Depends primarily on the type of data and specific settings. ⚖️ Legal basis: Art. 6(1)(a) GDPR (consent), Art. 6(1)(f) GDPR (legitimate interests)

What is WordPress?

We use the well-known content management system WordPress.com for our website. The service is provided by the American company Automattic Inc., 60 29th Street #343, San Francisco, CA 94110, USA.

Founded in 2003, Automattic quickly became one of the most well-known CMS providers worldwide. A CMS is software that helps us design and manage our website and its content—text, audio, or video—in an organized and visually appealing way.

Using WordPress may involve the collection, storage, and processing of personal data. Typically, this includes technical data such as your operating system, browser, screen resolution, and hosting provider. However, personal data like your IP address, geographic data, or contact details may also be processed.

Why do we use WordPress?

Although we have many strengths, programming is not one of our core skills.
Still, we want to offer a powerful and attractive website that we can manage ourselves. WordPress, as a CMS, allows exactly that—without needing programming knowledge.

With its user-friendly interface and comprehensive features, WordPress lets us shape our online presence the way we want while ensuring an enjoyable user experience for you.
When technical challenges arise, we have experts to support us with HTML, PHP, CSS, and more.

What data is processed by WordPress?

Non-personal data includes technical usage information such as:

• Browser activity
• Clickstream behavior
• Session heatmaps
• Device and browser details
• Screen resolution
• Language and keyboard settings
• Hosting provider
• Date of visit

Personal data may include:

• Contact details (email, phone number if provided)
• IP address
• Geographic location

WordPress may also use cookies to gather behavioral data—e.g., which subpages you visit, how long you stay on each page, bounce rate, and your preferences (like language settings).
These insights help WordPress tailor marketing efforts and present the site according to your preferences during future visits.

WordPress may also use technologies like pixel tags (web beacons) to uniquely identify users and potentially display personalized ads.

How long and where is data stored?

The storage duration depends on the type of data and site settings. Generally, data is deleted once it is no longer needed.
Exceptions exist if legal retention is required.

Web server logs, including your IP address and technical data, are deleted by WordPress/Automattic after 30 days. Deleted content from WordPress sites is kept in the trash for 30 days and may remain in backups or caches until they’re deleted.

Data is stored on Automattic’s U.S. servers.

How can I delete my data or prevent storage?

You have the right to access, object to, or request the deletion of your personal data at any time.
You can also file a complaint with a supervisory authority.

In your browser, you can manage or delete cookies. Note that this may affect functionality on our WordPress site.
See our “Cookies” section for browser-specific guides.

Legal basis

If you’ve consented to the use of WordPress, the legal basis for processing is your consent under Art. 6(1)(a) GDPR.

We also have a legitimate interest in using WordPress to provide an optimized online experience (Art. 6(1)(f) GDPR). However, we only use WordPress features with your consent.

International Data Transfer:
Automattic processes data in the USA and is an active participant in the EU-US Data Privacy Framework, ensuring secure and lawful data transfer.
Automattic also uses Standard Contractual Clauses (SCCs) under Art. 46(2) and (3) GDPR to ensure compliance with European data protection standards, even when data is stored outside the EU.
You can read more at: Automattic Privacy Policy
SCCs and EU decision documents: EU Commission decision

WordPress bzw. Automattic verarbeitet Daten von Ihnen u.a. auch in den USA. Automattic ist aktiver Teilnehmer des EU-US Data Privacy Frameworks, wodurch der korrekte und sichere Datentransfer personenbezogener Daten von EU-Bürgern in die USA geregelt wird. Mehr Informationen dazu finden Sie auf https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en.

Data Processing Agreement (DPA) with WordPress.com

In accordance with Art. 28 GDPR, we’ve signed a Data Processing Agreement (DPA) with WordPress.com.
This agreement specifies that WordPress may only process personal data on our instruction and in compliance with GDPR.
You can find the DPA here: WordPress DPA

Web Analytics – Introduction

Summary 👥 Affected individuals: Website visitors 🤝 Purpose: Analyzing visitor behavior to improve our website 📓 Data processed: Access statistics including location, device data, visit duration and time, navigation behavior, click behavior, IP addresses 📅 Storage duration: Depends on the analytics tool used ⚖️ Legal basis: Art. 6(1)(a) GDPR (consent), Art. 6(1)(f) GDPR (legitimate interests)

What is Web Analytics?

We use tools to analyze visitor behavior on our website. These tools (also called tracking tools) collect data that is stored and processed by the respective provider.

The analysis helps us understand how users interact with our site, and some tools include A/B testing features—for example, comparing two versions of content to determine which performs better.
User profiles may be created, and cookies may be used for these purposes.

Why do we use Web Analytics?

Our goal is to offer the best online service in our field. Web analytics helps us:

• Understand how users interact with our site
• Identify popular content and features
• Improve site usability and effectiveness

We can also identify technical errors and defend against attacks.

What data is processed?

This depends on the tool used. Typically:

• Pages viewed
• Buttons or links clicked
• Visit times and duration
• Browser type
• Device used (PC, smartphone, etc.)
• Operating system
• IP address (usually pseudonymized)

No direct identifiers (name, email, etc.) are stored unless explicitly provided.

How long is data stored?

Storage duration depends on the tool and its settings. Some cookies are short-term; others can last for years.

Duration of processing

We process data only as long as needed to deliver our services.
In some cases (e.g., accounting), longer storage may be legally required.

Right to object

You can withdraw consent at any time using our cookie consent tool or opt-out functions.
You can also manage cookies directly in your browser settings.

Legal basis

Web analytics is based on your consent per Art. 6(1)(a) GDPR, obtained through our cookie banner.

Additionally, we have a legitimate interest in analyzing user behavior to improve our offering (Art. 6(1)(f) GDPR).
However, tools are only used if you’ve given your consent.

More information on cookies is available in our general cookie policy.
You’ll find details on specific tools (e.g. Matomo Cloud) in the following sections.

Matomo Cloud Privacy Policy

Matomo Cloud – Privacy Summary 👥 Data Subjects: Website visitors 🤝 Purpose: To analyze visitor data in order to improve our web offering. 📓 Processed Data: Access statistics including access locations, device data, time and duration of visit, navigation behavior, click patterns, and IP addresses. 📅 Storage Duration: As long as required for service delivery. ⚖️ Legal Basis: Art. 6(1)(a) GDPR (Consent), Art. 6(1)(f) GDPR (Legitimate Interests)

What is Matomo Cloud?

We use the web analytics platform Matomo Cloud on our website. The service is provided by the New Zealand-based company InnoCraft Ltd, 7 Waterloo Quay PO625, 6140 Wellington, New Zealand.

Matomo is a privacy-friendly analytics tool that gives us, as website operators, detailed statistics about how visitors use our site—without compromising your privacy. We have access to a Matomo dashboard, which offers various analysis tools. Matomo also provides options to anonymize IP addresses and disable cookies.

Why Do We Use Matomo Cloud?

Most analytics tools collect a large amount of personal data and may pass it on to third parties. This makes it difficult to maintain control over your information. Because data protection is important to us, we’ve chosen Matomo—a more privacy-conscious alternative.

At the same time, we don’t want to forgo analytics entirely. Understanding how people interact with our site helps us improve our services and better meet your needs.

What Data Does Matomo Cloud Collect?

Besides personal information you may actively share with us (such as your name, address, or date of birth), Matomo collects data about how you use the site. This typically includes:

• The number of visitors
• Page views
• Time spent on the site
• Search terms used
• Device and browser type
• Operating system
• Screen resolution
• Referral source (how you arrived at the site)

Matomo may also process your IP address, though anonymization options are in place. No data is ever sold or shared with third parties.

How Long and Where Is the Data Stored?

Matomo Cloud is a hosted solution. This means your data is stored on Matomo’s own servers, all located within the EU—even though the company is based in New Zealand.

In general, data is stored for as long as needed to fulfill business purposes. Unfortunately, we cannot provide exact retention periods here, as they vary depending on individual configurations.

How Can You Delete or Prevent the Use of Your Data?

You have the right to access your personal data at any time and to object to its use or processing. You can also file a complaint with a relevant data protection authority.

Additionally, you can manage, delete, or disable cookies directly in your browser settings. Please note that doing so may affect the functionality of this website. You’ll find browser-specific instructions under the “Cookies” section of our privacy policy.

If you’d like to request deletion of your data, feel free to contact us directly.

Legal Basis

We use Matomo Cloud based on your explicit consent, which we collect via our cookie consent tool. According to Art. 6(1)(a) GDPR, this consent forms the legal basis for processing any personal data involved in web analytics.

In addition, we have a legitimate interest in analyzing user behavior to improve both the technical performance and economic viability of our website. This is supported by Art. 6(1)(f) GDPR. That said, we only use Matomo Cloud if you’ve actively given your consent.

For more information on the data Matomo Cloud processes, please visit: https://matomo.org/matomo-cloud-privacy-policy.
For privacy-related inquiries, contact: privacy@matomo.org.

Email Marketing – Introduction

Email Marketing Summary 👥 Affected individuals: Newsletter subscribers 🤝 Purpose: Direct advertising via email, notification of system-relevant events 📓 Data processed: Data entered during registration—at minimum, the email address. More details can be found with the respective email marketing tool. 📅 Storage duration: For the duration of the subscription ⚖️ Legal basis: Art. 6(1)(a) GDPR (consent), Art. 6(1)(f) GDPR (legitimate interests)

What is email marketing?

To keep you updated, we use email marketing. If you have agreed to receive our emails or newsletters, your data may be processed and stored.

Email marketing is a subcategory of online marketing. News or general information about our company, services, or products is sent by email to people who have shown interest.

To participate in our email marketing (usually via newsletter), all you typically need to do is register with your email address. Sometimes we may also ask for your name and salutation so we can address you personally.

Newsletter signups generally follow a double opt-in process. After signing up, you will receive a confirmation email to ensure the email address is valid and belongs to you. Each subscription is logged (e.g., signup and confirmation timestamps, IP address) to comply with legal obligations.

Why do we use email marketing?

We aim to keep in touch and share important updates about our work.
Newsletters—often referred to simply as “emails”—help us inform you about company updates, services, products, or special offers.

We use professional tools or providers to ensure that our emails are secure and efficiently delivered.
The primary goal of our email marketing is to inform you about new offerings while advancing our business goals.

What data is processed?

When subscribing to our newsletter via the website, you join an email list. In addition to your email address and IP address, we may collect and store your name, salutation, address, and phone number—but only if you provide this data voluntarily.

Some systems may also store device-related data or your preferences on our website.
Your consent is recorded to ensure compliance with legal standards.

Duration of data processing

If you unsubscribe from our newsletter, we may retain your email address for up to three years based on our legitimate interest to prove prior consent, particularly in case of legal disputes.

You can request deletion at any time. If you withdraw consent permanently, we may add your email address to a blocklist to prevent further communication.
As long as you’re subscribed, we will retain your email address.

Right to object

You can unsubscribe from the newsletter at any time by withdrawing your consent. Usually, you can do this with just one or two clicks—via the unsubscribe link found at the bottom of every email.

If the link is missing or not working, just email us, and we’ll cancel your subscription immediately.

Legal basis

The legal basis for sending newsletters is your consent (Art. 6(1)(a) GDPR).
We may also send advertising messages if you’ve become a customer and have not objected to the use of your email for direct marketing.

More information about third-party email marketing tools and how they process data can be found—if applicable—in the sections below.

Explanation of Terms

We aim to write our privacy policy clearly and understandably. However, some technical and legal terms require clarification. Below you’ll find an alphabetical glossary of key terms used throughout the policy. When applicable, we include official GDPR definitions and explanatory notes.

Processor

Definition (Article 4 GDPR):

A natural or legal person, authority, agency, or other body that processes personal data on behalf of the controller.

Explanation:
We, as the website owner, are responsible for all data we process. If another company processes data on our behalf (e.g. hosting, email marketing), it is considered a processor. Examples include accountants, cloud providers, payment systems, and companies like Google or Microsoft.

Consent

Definition (Article 4 GDPR):

Any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they agree to the processing of personal data.

Explanation:
Consent is usually collected through cookie banners or opt-in forms. If you don’t give consent, your data may not be processed. Consent can also be given in writing.

Personal Data

Definition (Article 4 GDPR):

‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’);
an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Explanation: Any information relating to an identified or identifiable natural person. Examples include:

• Name
• Address
• Email
• Phone number
• Date of birth
• Identification numbers (e.g. tax ID, passport number)
• Bank data (account number, credit info)

Even your IP address is considered personal data, as it can reveal your approximate location and identity.
Special categories of personal data (more sensitive) include:

• Racial/ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Union membership
• Genetic or biometric data
• Health or sexual orientation

Profiling

Definition (Article 4 GDPR):

‘Profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person,
in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Explanation:
Profiling aggregates data to form insights about a person—for example, for advertising or credit checks. Web analysis tools often use profiling to deliver targeted content.

Controller

Definition (Article 4 GDPR):

‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Explanation:
We are the controller of your data. If we delegate data handling to others (e.g. a service provider), they become processors. A Data Processing Agreement (DPA) must be signed in such cases.

Processing

Definition (Article 4 GDPR):

‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means,
such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Explanation:
Whenever we mention “processing” in this policy, we mean any handling of personal data, including collection, storage, and use.

Closing Statement

Congratulations!
If you’re reading this, you’ve either carefully gone through our entire privacy policy or at least scrolled all the way down—well done!

As you can see, we take the protection of your personal data very seriously.
We strive to inform you clearly and responsibly about what data we process and why we use certain tools.

Most privacy policies sound highly technical and legalistic. Because we assume most of our readers are neither web developers nor lawyers, we’ve tried to explain things in plain language wherever possible. Where that wasn’t feasible, we’ve provided a glossary of key terms.

If you have any questions about how your data is handled on our website, don’t hesitate to contact us or the responsible entity listed.

We wish you a pleasant experience—and hope to welcome you back to our website soon!All texts are protected by copyright.
Source: Privacy Policy created with the Datenschutz Generator for Austria by AdSimple