Privacy

The controller for the processing of personal data on this website is: [insert full legal company name], [insert registered address], Austria.

You can contact us regarding privacy matters at [insert privacy email address] or by post at the address above.

If a data protection officer has been appointed for your organization, add the name and contact details here. If no data protection officer is required, remove this sentence before publishing.

We process personal data that you provide directly, data that arises when you use the website, and data that is generated when you choose to allow analytics.

Depending on your interaction with the website, this can include contact details, company information, message content, assessment request details, consent preferences, technical connection data, log data, and analytics data.

This website is hosted through Cloudflare. Based on the processing model used for this website, Cloudflare hosts the website and processes and stores the data submitted through the website.

When you visit the website, Cloudflare may process technical request data and security-related information that is necessary to deliver the website, maintain availability, protect against misuse, and support troubleshooting.

If you submit a contact form, request an assessment result, or otherwise send information through the website, the submitted data may be transmitted through and stored within the Cloudflare-based hosting setup used for this website.

If you contact us through the contact form or by similar means, we process the data you provide in order to handle your inquiry, respond to you, and document the communication.

Mandatory fields are marked as such because we need them to process your request. If you do not provide the mandatory data, we may be unable to respond properly.

The legal basis is usually Article 6(1)(b) GDPR if your inquiry relates to pre-contractual steps or requested services, and otherwise Article 6(1)(f) GDPR based on our legitimate interest in handling business communications efficiently.

If you use the assessment or compliance-related forms, we process the information you submit in order to evaluate the request, prepare a response, and send the result to the email address you provide.

This may include your contact data, company data, answers you give in the questionnaire, and any website URL or project information you submit.

The legal basis is Article 6(1)(b) GDPR where the request is aimed at receiving a service, assessment, or pre-contractual information, and Article 6(1)(f) GDPR for internal documentation and quality assurance.

If you agree to be contacted by x09.io about product and service updates and to receive newsletters, we process your email address and the related consent data for that purpose.

We use a consent-based model. The legal basis is Article 6(1)(a) GDPR. You can withdraw your consent at any time with effect for the future, for example by contacting us at the privacy contact details listed above or by using any unsubscribe option that may be included in an email.

We may retain suppression information after a withdrawal so that we can document the withdrawal and ensure that no further marketing emails are sent to you unintentionally.

We use Google Cloud Platform to send operational emails and communications related to contact form submissions, assessment reports, newsletters, and product or service updates.

Depending on the message type, Google Cloud Platform may process recipient details, sender details, subject lines, message metadata, and message content to enable delivery, transmission security, and technical logging.

The legal basis depends on the email category: Article 6(1)(b) GDPR for requested replies and assessment communications, Article 6(1)(a) GDPR for newsletters and update emails, and Article 6(1)(f) GDPR for delivery logging, security, and system administration.

We use Google Analytics to analyze and improve the performance of the website. Google Analytics is only activated if you give consent through the cookie banner or cookie settings.

If consent is given, Google Analytics may process usage and device-related information, including interactions with pages, approximate location derived from IP or device signals, browser information, referrer data, and cookie-based identifiers.

The legal basis is Article 6(1)(a) GDPR in conjunction with the Austrian rules on storing or accessing information on user devices. You can withdraw your consent at any time through the cookie settings.

This website uses technically necessary storage for core functions and for recording your privacy choices. Optional analytics cookies are only used if you actively consent.

To remember your consent choice, the website stores a local browser entry and a cookie that records whether measurement has been allowed. These records are used so that your preference can be respected on later visits.

Under Austrian law, non-essential cookies or comparable technologies generally require prior consent. We therefore ask for consent before enabling Google Analytics or similar optional measurement tools.

We disclose personal data only where this is necessary for the purposes described in this policy, where we are legally required to do so, or where service providers process data on our behalf under appropriate contractual safeguards.

The main service provider categories currently used for this website are hosting and infrastructure services through Cloudflare and email or cloud services through Google Cloud Platform. If analytics is enabled by consent, Google also receives the relevant analytics data as an independent recipient or processor depending on the specific service configuration.

Some recipients or service providers may process personal data outside Austria or outside the European Economic Area. This can be the case in particular for cloud infrastructure and analytics services provided by multinational vendors.

Where personal data is transferred to a third country, we rely on a lawful transfer mechanism under Chapter V GDPR. Depending on the provider and the specific transfer, this may include an adequacy decision under Article 45 GDPR, Standard Contractual Clauses under Article 46 GDPR, and supplementary technical or organizational measures where required.

For transfers to the United States, an adequacy decision may be available where the receiving organization participates in the EU-U.S. Data Privacy Framework. Where that is not the case, other appropriate safeguards must be used.

We retain personal data only for as long as it is needed for the relevant purpose, for as long as consent remains valid where consent is the legal basis, and for as long as statutory retention, documentation, or defense obligations make continued storage necessary.

Inquiry and assessment data is generally kept for as long as necessary to handle the request, continue related discussions, and document the communication. Newsletter consent records and withdrawal records may be retained for as long as needed to prove consent or ensure that no further marketing emails are sent after an opt-out.

Technical logs, hosting data, and analytics retention periods depend on the live service configuration and operational necessity. You should verify the final production settings and, if needed, replace this section with exact periods used in practice.

Where applicable, we process personal data on one or more of the following legal bases under the GDPR.

Under the GDPR, you have the right to request access to your personal data, rectification of inaccurate data, erasure, restriction of processing, data portability, and to object to processing based on legitimate interests.

If processing is based on consent, you also have the right to withdraw that consent at any time with effect for the future. Withdrawal does not affect the lawfulness of processing that took place before the withdrawal.

To exercise your rights, contact us using the privacy contact details listed above. We may need to verify your identity before responding.

You also have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work, or place of the alleged infringement.

In Austria, the competent supervisory authority is the Austrian Data Protection Authority, Barichgasse 40-42, 1030 Vienna, Austria, email: dsb@dsb.gv.at, website: https://www.dsb.gv.at/.

You are not generally obliged to provide personal data to us. However, some fields are necessary if you want us to process a contact request, send an assessment result, or provide updates you actively requested.

If you do not provide the data marked as required, we may be unable to handle the relevant request.

We do not use your data on this website for solely automated decision-making, including profiling, that produces legal effects or similarly significant effects within the meaning of Article 22 GDPR.

We may update this privacy policy from time to time, especially if we change the website, our forms, the providers we use, or the legal requirements that apply to our processing activities.

The version published on this website at the time of your visit applies.