Only the German version is legally binding.
Introduction and overview
We have drafted this Privacy Policy (version 07.08.2023-122557392) to explain to you, in accordance with the requirements of the General Data Protection Regulation (EU) 2016/679 and applicable national laws, which personal data (data for short) we as the controller – and the processors we commission (e.g. providers) – process, will process in the future, and what lawful options you have. The terms used are to be understood as gender-neutral.
In short: We inform you comprehensively about the data we process about you.
Privacy policies usually sound very technical and use legal jargon. This Privacy Policy, by contrast, aims to describe the most important things to you as simply and transparently as possible. Where this aids transparency, technical terms are explained in a reader-friendly way, links to further information are provided, and graphics are used.
If any questions still remain, we would ask you to contact the responsible body named below or in the legal notice, to follow the links provided and to view further information on third-party sites. You will of course also find our contact details in the legal notice.
Scope
This Privacy Policy applies to all personal data processed by us within the company and to all personal data processed by companies we commission (processors). The scope of this Privacy Policy covers:
- all online presences (websites, online shops) that we operate
- social media presences and email communication
- mobile apps for smartphones and other devices
In short: The Privacy Policy applies to all areas in which personal data is processed in a structured way within the company via the channels mentioned.
Legal bases
In the following Privacy Policy, we provide you with transparent information on the legal principles and regulations, i.e. the legal bases of the General Data Protection Regulation, that enable us to process personal data.
As far as EU law is concerned, we refer to REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016. You can of course read this EU General Data Protection Regulation online on EUR-Lex, the access point to EU law, at https://eur-lex.europa.eu.
We only process your data if at least one of the following conditions applies:
- Consent (Article 6(1)(a) GDPR): You have given us your consent to process data for a specific purpose. One example would be storing the data you enter in a contact form.
- Contract (Article 6(1)(b) GDPR): We process your data in order to fulfil a contract or pre-contractual obligations with you.
- Legal obligation (Article 6(1)(c) GDPR): Where we are subject to a legal obligation, we process your data. For example, we are legally required to keep invoices for accounting purposes.
- Legitimate interests (Article 6(1)(f) GDPR): In the case of legitimate interests that do not restrict your fundamental rights, we reserve the right to process personal data.
In addition to the EU Regulation, national laws also apply:
- In Austria, this is the Federal Act on the Protection of Natural Persons with regard to the Processing of Personal Data (Data Protection Act), DSG for short.
- In Germany, the Federal Data Protection Act (BDSG) applies.
Contact details of the controller
Grafenau digital solutions GmbH
Moosweg 2a
9520 Treffen am Ossiacher See
Authorised representative: Ing. Grafenau Thomas Bsc, Msc
Email: office@grafenau.at
Phone: +43 664 / 4128491
Legal notice: https://www.grafenau.at/impressum
Storage duration
It is a general principle with us that we only store personal data for as long as is absolutely necessary to provide our services and products. This means that we delete personal data as soon as the reason for processing it no longer applies. In some cases, we are legally required to store certain data even after the original purpose has ceased to apply, for example for accounting purposes.
Should you wish to have your data deleted or withdraw your consent to data processing, the data will be deleted as quickly as possible and to the extent that there is no obligation to store it.
Your rights under the General Data Protection Regulation
In accordance with Articles 13 and 14 GDPR, we inform you of the following rights to which you are entitled, so that data is processed fairly and transparently:
- Under Article 15 GDPR, you have a right of access to information about whether we process data about you.
- Under Article 16 GDPR, you have a right to rectification of your data, which means that we must correct data if you find errors.
- Under Article 17 GDPR, you have the right to erasure ("right to be forgotten"), which specifically means that you may request the deletion of your data.
- Under Article 18 GDPR, you have the right to restriction of processing, which means that we may only store the data but not use it further.
- Under Article 20 GDPR, you have the right to data portability, which means that we will provide you with your data in a common format on request.
- Under Article 21 GDPR, you have a right to object, which, once enforced, brings about a change in processing.
- Under Article 22 GDPR, you may, in certain circumstances, have the right not to be subject to a decision based solely on automated processing (for example profiling).
- Under Article 77 GDPR, you have the right to lodge a complaint. This means you can complain to the data protection authority at any time if you believe that the processing of personal data infringes the GDPR.
In short: You have rights – do not hesitate to contact the responsible body listed above!
If you believe that the processing of your data infringes data protection law or that your rights under data protection law have been violated in some other way, you can lodge a complaint with the supervisory authority. In Austria, this is the Data Protection Authority, whose website you can find at https://www.dsb.gv.at/.
Cookies
Our website uses HTTP cookies to store user-specific data. Below we explain what cookies are and why they are used, so that you can better understand the following Privacy Policy.
Whenever you surf the internet, you use a browser. Well-known browsers include Chrome, Safari, Firefox, Internet Explorer and Microsoft Edge. Most websites store small text files in your browser. These files are called cookies.
Cookies store certain user data about you, such as language or personal site settings. When you visit our site again, your browser transmits the "user-related" information back to our site. Thanks to cookies, our website knows who you are and offers you the settings you are used to.
What types of cookies are there?
There are four types of cookies to distinguish:
Essential cookies: These cookies are necessary to ensure the basic functions of the website.
Functional cookies: These cookies collect information about user behaviour and whether the user receives any error messages.
Targeted cookies: These cookies ensure better usability.
Advertising cookies: These cookies are also called targeting cookies. They are used to deliver individually tailored advertising to the user.
Right to object – how can I delete cookies?
You decide for yourself how and whether you want to use cookies. Regardless of which service or website the cookies come from, you always have the option of deleting cookies, deactivating them or allowing them only in part.
- Chrome: delete, enable and manage cookies in Chrome
- Safari: manage cookies and website data in Safari
- Firefox: delete cookies
- Microsoft Edge: delete and manage cookies
Legal basis
Since 2009, there have been the so-called "cookie directives". These stipulate that the storage of cookies requires your consent (Article 6(1)(a) GDPR). In Austria, this directive was implemented in § 96(3) of the Telecommunications Act (TKG).
For strictly necessary cookies, even where no consent is given, there are legitimate interests (Article 6(1)(f) GDPR), which in most cases are of an economic nature.
Google Analytics 4
On our website, we use "Google Analytics 4" (GA4), a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google").
What is Google Analytics 4?
Google Analytics 4 is an analytics tool that allows us to understand and improve the use of our website. GA4 uses an event-based data model to record interactions on our website.
Which data is processed?
Google Analytics 4 collects the following data:
- Technical information (IP address — anonymised, browser type, operating system, screen resolution)
- Information about your usage behaviour on our website (pages visited, time spent, actions performed)
- Demographic data (language, approximate location based on IP address)
Purpose of processing
- Analysing user behaviour to improve our website
- Creating statistics about website usage
- Optimising our content and offers
Legal basis
Processing is carried out on the basis of your consent pursuant to Art. 6(1)(a) GDPR. You can withdraw your consent at any time via our cookie banner.
You can find more information about data protection at Google at: https://policies.google.com/privacy
Meta Pixel (Facebook Pixel)
On our website, we use the "Meta Pixel" (formerly "Facebook Pixel") provided by Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland ("Meta").
What is the Meta Pixel?
The Meta Pixel is an analytics tool that allows us to measure the effectiveness of our advertisements on Facebook and Instagram and to improve our offers.
Which data is processed?
The Meta Pixel collects the following data:
- Technical information (IP address, browser type, operating system, screen resolution)
- Information about your usage behaviour on our website (pages visited, actions performed such as registration)
- On registration: email address (in hashed form for advanced matching)
Purpose of processing
- Measuring the effectiveness of our advertisements
- Creating target audiences for advertisements (Custom Audiences)
- Optimising our advertising activities
- Analysing user behaviour
Legal basis
Processing is carried out on the basis of your consent pursuant to Art. 6(1)(a) GDPR.
Content Delivery Network & video streaming (Bunny CDN / Bunny Stream)
On our website, we use services from Bunny CDN and Bunny Stream provided by BunnyWay d.o.o., Cesta komandanta Staneta 4A, 1215 Medvode, Slovenia ("Bunny"), to deliver media content and videos.
What is Bunny CDN / Bunny Stream?
Bunny CDN is a content delivery network that enables the fast and reliable delivery of website content. Bunny Stream is a video streaming service used to embed and play videos on our website (via the player at player.mediadelivery.net).
Which data is processed?
When content is retrieved via Bunny CDN and when videos are played via Bunny Stream, the following technical data is processed:
- IP address
- Browser information (user agent)
- Time of access
Purpose of processing
- High-performance and reliable delivery of website content
- Providing and playing embedded videos
Legal basis
Processing is carried out on the basis of our legitimate interest pursuant to Art. 6(1)(f) GDPR. Our legitimate interest lies in optimising website performance and reliably providing media content.
You can find more information about data protection at Bunny at: https://bunny.net/privacy/
Software-as-a-Service (SaaS) products: GK Routenplaner & TomsClock
As a SaaS provider, Grafenau digital solutions GmbH operates the products GK Routenplaner (route and maintenance management) and TomsClock (time tracking). This section describes all data processing that takes place within these SaaS services — in addition to the general provisions above.
Roles: controller and processor (Art. 28 GDPR)
When using our SaaS products, there are two different roles with regard to data protection:
- Grafenau digital solutions GmbH as the controller: For the data of our direct contractual partners (i.e. the companies that take out a subscription — hereinafter "Customer"). This includes, for example, company name, admin email, password (bcrypt-hashed), billing address, payment data, usage behaviour and support requests.
- Grafenau digital solutions GmbH as a processor pursuant to Art. 28 GDPR: For the data that the Customer enters or uploads into our SaaS service as part of their own business activities (e.g. data of the Customer's end customers, addresses, phone numbers, maintenance contracts, photos, inspection reports, digital signatures). Here the Customer is the controller, and we process this data exclusively on the Customer's instructions and on their behalf.
Upon conclusion of the SaaS subscription, this section of the Privacy Policy is deemed to be a data processing agreement (DPA) pursuant to Art. 28(3) GDPR between the Customer as controller and us as processor. Signing an additional separate DPA is possible on request (office@grafenau.at).
Which data is processed in the SaaS?
By us ourselves (as controller):
- Account data: company name, contact person, admin email, phone number, billing address, VAT ID
- Authentication: password (bcrypt hash, never stored in plain text), 2FA codes (bcrypt hash, TTL 10 minutes), session tokens (JWT in HttpOnly cookies, valid for 7 days)
- Payment data: Stripe Customer ID, Stripe Subscription ID, subscription status, invoice history (managed via Stripe — see below)
- Usage data: login times, features used, API call counters (storage GB, geocoding calls, route optimisation)
- Support communication: emails, ticket history
On behalf of the Customer (processing on behalf of a controller):
- End customer data: name, company name, address, phone number, email, customer number, equipment information, maintenance history, GPS coordinates
- Employee data: name, email, roles, working hours (in TomsClock), signatures
- Documents: photos, reports (incl. digital signatures), delivery notes, inspection reports, maintenance contracts
- Business processes: routes, stops, appointments, service reports
Where is the data stored? (Hosting & third-country transfer)
We use the following sub-processors (Art. 28(2) GDPR):
- Hetzner Online GmbH (Germany): MongoDB database and Hetzner Object Storage (S3-compatible). Server location Germany/EU, no third-country transfer. A DPA has been concluded with Hetzner.
- Stripe Payments Europe Ltd. (Ireland/EU): Processing of subscription payments. Stripe may transfer data to the USA; the transfer is based on the EU Standard Contractual Clauses. We transmit the following to Stripe: company name, admin email, subscription information. Payment card data is entered directly with Stripe and never reaches our systems. Legal basis: Art. 6(1)(b) GDPR (performance of a contract). Details: stripe.com/de/privacy
- Mailjet SAS (France/EU): Sending transactional emails (registration confirmation, 2FA codes, trial expiry warnings, invoice notifications). Server location EU. The following are transmitted: recipient email, email content. Legal basis: Art. 6(1)(b) GDPR. Details: mailjet.com/de/security-privacy
- Google Ireland Ltd. (Ireland/EU), Google Maps Platform: Geocoding (converting addresses into coordinates) and route calculation. Google may transfer data to the USA; basis: EU Standard Contractual Clauses. The following are transmitted: addresses of the Customer's end customers (solely for the purpose of route calculation, no storage by Google beyond the calculation). Legal basis: Art. 6(1)(b) GDPR. Details: policies.google.com/privacy
Storage duration and deletion upon termination
We only store your data for as long as is necessary to provide the service. The following periods apply upon termination of the SaaS subscription:
- Active period: As long as your subscription is running, all data remains available.
- After termination — 30-day grace period: When the paid period ends, access to the service is blocked, but your data is retained for a further 30 days. During this time you can request reactivation or an export of your data (Art. 20 GDPR — right to data portability).
- After the grace period — hard deletion: After the 30 days have elapsed, all customer, end-customer and document data is irrevocably deleted. This includes: MongoDB documents (Companies, Users, Customers, Routes, ServiceReports, appointments, etc.), S3 objects (photos, PDFs, documents) and usage counters. Deletion is carried out automatically by our cleanup service.
- Statutory retention obligations: We retain invoices and accounting-relevant documents for 7 years in accordance with Austrian tax law (§ 132 BAO), separately from the operational SaaS data.
- Stripe payment data: Is stored by Stripe in accordance with their retention obligations — here we are not in control of the data.
Technical and organisational measures (TOMs pursuant to Art. 32 GDPR)
To protect your data, we apply the following measures:
- Encryption in transit: Exclusively HTTPS/TLS 1.2+ for all connections to the service. HTTP is always redirected to HTTPS.
- Encryption at rest: Passwords with bcrypt (12 rounds). 2FA codes with bcrypt (10 rounds). SMTP passwords encrypted in the database with AES-256-GCM. MongoDB servers with encrypted hard drives.
- Access control: Multi-tenant isolation through mandatory company ID filtering in every database query. Role-based permission system (admin, administration, technician, laboratory) with granular permissions.
- Two-factor authentication: 2FA via email code for system administrators. The codes are not stored in plain text (bcrypt hash), are valid for 10 minutes and can only be used once.
- Session security: JWT in HttpOnly cookies (not readable via JavaScript), SameSite=Lax, Secure flag in production, valid for a maximum of 7 days.
- Rate limiting: Protection against brute-force attacks through rate limiting on login and 2FA endpoints (5 attempts per minute).
- No backups: We expressly do not create our own backups of the data entered or generated by the Customer. The Customer is responsible for regularly backing up data via the built-in export function and storing it in a secure location independent of our systems. For details, see our GTC, section 11.3.
- Logging: Server access logs (anonymised IP, timestamp, endpoint) to detect attacks, retained for 30 days.
- Pseudonymisation: Internal test and development environments use pseudonymised data exclusively, never real customer data.
- Regular updates: Automatic installation of security-relevant updates for the operating system, Node.js, NestJS, MongoDB and all dependencies.
Rights in the case of processing on behalf of a controller
As our SaaS Customer, you are entitled to the following additional rights pursuant to Art. 28 GDPR:
- Right to issue instructions: You can issue us written instructions regarding the processing of your end-customer data (e.g. "Delete all data of end customer X").
- Control: You can request evidence of compliance with our TOMs at any time.
- Data export: On request, we will export all of your data in a common format (e.g. JSON, CSV) pursuant to Art. 20 GDPR.
- Support: We support you in responding to data subject requests (access, rectification, erasure) from your end customers.
- Notification obligation in the event of a data breach: We will inform you without undue delay (at the latest within 24 hours of becoming aware) of any data protection incidents affecting your data.
Please direct requests regarding these rights to office@grafenau.at.
Explanation of terms used
Processor
"Processor" – a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Consent
"Consent" of the data subject – any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Personal data
"Personal data" – any information relating to an identified or identifiable natural person.
Personal data is therefore all data that can identify you as a person. As a rule, this is data such as: name, address, email address, postal address, phone number, date of birth, identification numbers such as social security number, tax identification number, ID card number or student registration number, bank details such as account number, credit information, account balances and much more.
Profiling
"Profiling" – any form of automated processing of personal data consisting of the use of such personal data to evaluate certain personal aspects relating to a natural person.
Controller
"Controller" – the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
In our case, we are responsible for the processing of your personal data and are therefore the "controller".
Processing
"Processing" – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Source: Created with the Privacy Policy Generator by AdSimple